Gawker leak reveals password trends

Earlier this week, blog publisher Gawker Media suffered a leak that released information about its users to the Internet. More than a million user names, email addresses, and passwords were posted online, and although most of the passwords were encrypted, nearly 190,000 of them were decoded and published as a part of the leak. The Wall Street Journal has taken a closer look at those passwords to see if there’s anything to be learned, and it found a few interesting trends among the data.

As one might expect, there are loads of folks with lousy passwords. Among those that were decrypted, 123456, password, and 12345678 proved the most popular. Qwerty and abc123 also rank high on the list, as do the names of several of Gawker sites. However, the actual percentage of people using those passwords isn’t all that high. The top three account for around 6,000 passwords, which is only 3% of the total released.

After cross-referencing the passwords with user email addresses, the WSJ found that people with Yahoo and Gmail accounts are more likely to have longer passwords than Hotmail users. The authors also discovered that Gmail users use passw0rd more often, while iloveyou is popular among folks with Hotmail and Yahoo accounts. The overall percentages for those passwords are still pretty low, though.

It’s unclear whether this particular subset of passwords was decrypted because it was the easiest to decode or simply selected at random. The fact that these accounts were for Gawker’s commenting system rather than, say, a banking site, is also worth considering. I’ve long used junk email addresses and simple passwords for similar accounts, and I suspect many of Gawker’s tech-savvy users do the same.

Comments closed
    • link626
    • 9 years ago

    the list is still on TPB.

    my spam account was among those on the list.

    it’s a good rule of thumb to use spam accounts on sites like lifehacker, Techreport, Hardocp…..

    quite a few people used their work and school email addresses. dumb.

    • yogibbear
    • 9 years ago

    SeXyP4nt5. unbeatable to this day.

    • kvndoom
    • 9 years ago

    We must go after Gawkerleaks at all costs! They are a threat to national security and international diplomacy! These scum must be jailed or assassinated!

    • ew
    • 9 years ago

    For the last couple of years I’ve been using `pwgen -1 10` to create unique passwords for anything that involves money. These passwords get stored on a sheet of paper located in a file folder and in a .jpg located in an encrypted volume on my laptop. I’ve got a few tiers of memorized passwords that I use for everything else. I’ll probably start using more randomly generated passwords with something like LastPass pretty soon.

    • FireGryphon
    • 9 years ago

    I memorize all of my passwords ’cause I figure the program or book in which I write or store my passwords will get lost or damaged, and then I’ll be in a boat load of trouble. It takes a few tries before it sinks into my memory, and it’s a pain rememorizing them when I change passwords, but I think that if we try we can remember passwords obfuscated enough to be largely secure.

    • TaBoVilla
    • 9 years ago

    ahh.. I remember my first hotmail password: ASDF. those were the days.. no hackers, nice and simple 4 char passwords..

    I’ve been adapting that ever since to requirements: 6char pass? asdfgh 8 char case sensitive pass? Asdfghjk! 6char and numbers? asdfgh123456 6char numbers and special chars? asdfgh&123456 etc etc

    ofcourse, these are not my passwords! duh! who would post their passwords on a technology news site comment section? (runs off to change important site passes, personal access keys to bank account, etc)

    • axeman
    • 9 years ago

    DAMMIT! NOW I HAVE TO CHANGE ALL MY PASSWORDS. I was SURE ‘Jennifer’ was a pretty good password.

    As an aside, at an old workplace where we didn’t enforce password complexity and I was pretty familiar with most of the users, about %50 of the time I could guess their password when they called me, then locked their computer and went for coffee. Just have to know pet names and children’s names, and you’re set.

      • Turkina
      • 9 years ago

      Ironically, I worked at a place where we rigidly enforced password complexity, and I too could guess at a user’s password mainly because it was usually the odd jumble of letters/numbers written on a sticky note and stuck to the monitor.
      There is no substitute for user education.

    • tay
    • 9 years ago

    You have to use different passwords. I use different passwords using keepass and keepassX.

      • tay
      • 9 years ago

      f**ck me reply fail sorry.

    • deathBOB
    • 9 years ago

    All of the Gawker properties have had weak content lately and they’ve always been terrible in a technical sense. I just went ahead and deleted my account.

    I agree with you Geoff, it’s not a banking site, it doesn’t matter.

    • SomeOtherGeek
    • 9 years ago

    Doesn’t this remind you of the Movie, Spaceballs? I got a good laugh from it.

    §[<http://www.youtube.com/watch?v=a6iW-8xPw3k<]§ [EDIT] Oopsy daisy, I saw that #11 said the same and I totally missed it! (Giving credit where it is due)

    • flip-mode
    • 9 years ago

    Any guesses on SSK’s password?

      • SomeOtherGeek
      • 9 years ago

      MyWifeIsPhat

        • anotherengineer
        • 9 years ago

        roflcopter

    • BoBzeBuilder
    • 9 years ago

    My password is fatfarmer666. Try hacking that.

    • anotherengineer
    • 9 years ago

    SO my password is good then???

    poo_pee_or_me

    • kamikaziechameleon
    • 9 years ago

    I overhauled my important account passwords 2 years ago. looks like I couldn’t have done it soon enough.

    • 5150
    • 9 years ago

    That’s amazing! I’ve got the same combination on my luggage!

      • scpulp
      • 9 years ago

      I actually checked the comments on this post solely to make sure someone said this.

      Thank you.

      • Thrashdog
      • 9 years ago

      The kicker? That was apparently Nick Denton’s (founder of Gawker) password. Internet-savvy fail!

      • derFunkenstein
      • 9 years ago

      <3 Spaceballs. Have my next baby?

    • indeego
    • 9 years ago

    keepass/lastpass/* password manager, peopleg{<.<}g

      • flip-mode
      • 9 years ago

      Or just one decent password fer crap sake. Your addess: 6438Charity. Your phone: 5749823. These are easy and unique enough.

      I like simple but not so idiotic keyboard combos, like the following, right in a row, alternating shift key: 4EsZ5RdX

        • 5150
        • 9 years ago

        Sorry, phone number is not adequate. Numbers are by far the easiest to brute force.

          • flip-mode
          • 9 years ago

          I’m sure you are absolutely correct, but, it beats 12345678, right? That’s the low bar I’m hurdling with that suggestion, heh.

        • Thrashdog
        • 9 years ago

        With information like phone numbers and addresses commonly published on Facebook, LinkedIn, in WHOIS lookups, and so forth, I’m not too keen on that idea.

        Personally, I also dislike the idea of introducing a single point of failure in the form of a password database, though KeePass is already much more secure than login cookies and browser-based password management. Having that database be Internet-accessible, like LastPass, scares the crap outta me.

          • ManAtVista
          • 9 years ago

          LastPass encrypts all your information before you send it from your browser to the internet database…if your computer is slow or under load, you can actually see stuff encrypt before it is sent. I’ll trust it until I get a reason not to, instead of baseless paranoia. Having a password like “4Q*6Sv$373uu@!4g” but different, for every site is really nice, as these gawker leak style hacks are more common than any hacks against lastpass.

        • ew
        • 9 years ago

        One decent password is not enough because you rarely know how it is being handled by the places you use it. For all you know your password is being stored as clear text. All the leaked Grawker password hashes should be considered compromised due to the weakness of their hashing technique. (unless your password was much longer then 8 characters)

          • Firestarter
          • 9 years ago

          Storing as clear text happens way too often. Probably because the guy in charge kept forgetting his and demanded that tech support can look up his password instead of just resetting it. That, and too many websites are made by people who don’t know or care about security.

    • Thrashdog
    • 9 years ago

    I spent a fair portion of yesterday changing passwords at a number of low-priority websites thanks to this breach. The only potentially-compromised thing of mine that was really critical was my Facebook account, and in my (meager) defense, when I created that account Facebook wasn’t /[

      • ImSpartacus
      • 9 years ago

      I installed LastPass because of this. Now all my important accounts (including this one) have 14 character passwords with symbols and all that jazz.

      This might’ve hurt a few people, but it’s helped a lot as well.

      As a culture, we need things to go wrong before we care to fix them. The BP Oil Spill and 9/11 attack quickly come to mind. I bet I could come up with a lot more if I thought a little longer.

        • OneArmedScissor
        • 9 years ago

        Uh…wow. We needed 9/11 and the BP oil spill like we need a comet to hit the planet. Now we just have fewer rights and some environmentalist nut jobs will invariably have their way with things they shouldn’t have.

        • indeego
        • 9 years ago

        /[<"Now all my important accounts (including this one) have 14 character passwords with symbols and all that jazz."<]/ Last time I tried on TR I was unable to login to the front page/(but was able to on the forum.) Guess they fixed thatg{

          • UberGerbil
          • 9 years ago

          You`re aware the username here on the front page is case-sensitive, whereas in the forum it isn`t

            • indeego
            • 9 years ago

            Yep, I always type it in lowercaseg{<‽<}g

    • ew
    • 9 years ago

    The passwords were encrypted but it was about the weakest kind of password encryption they could have done. No salt and no key strengthening. I wonder how TR stores passwords.

      • ImSpartacus
      • 9 years ago

      Yes, I hope this encourages websites to be more transparent on password management. I’m also interested in how TR deals with password security.

Pin It on Pinterest

Share This