X
Tech

This is the worst password from the Ashley Madison hack

After cracking 4,000 passwords, one decrypted password floated to the top of the list. And it's not for the first time.
Written by Zack Whittaker, Contributor
hack-hero.jpg
(Image: stock image)

When hackers swiped an estimated 36 million accounts associated with AshleyMadison.com, a site which helps married people cheat on their partners, there was a rush to find out what had been stolen.

Password Used
123456 202
password 105
12345 99
qwerty 32
12345678 31
ashley 28
baseball 27
abc123 27
696969 23
111111 21
football 20
f**kyou 20
madison 20
a**hole 19
superman 19
f***me 19
hockey 19
123456789 19
hunter 19
harley 18

A month after the breach was reported, hackers released the first cache of stolen data. Email addresses, credit card transactions, and more were leaked on August 18. More data, released days later, included internal emails at the website's parent company, Avid Life Media.

The tens of millions of passwords, though leaked, were hashed, meaning they were cryptographically scrambled using a feature known as bcrypt. (Many other websites that have suffered leaked data have either used weak cryptography to hash the passwords, or none at all.) Robert Graham at Errata Security said in a blog post this was a "refreshing change," because it means users with strong passwords are "safe."

But, for weaker passwords, the same cannot be said.

Security expert Dean Pierce described in a blog post how he ran the list of hashed passwords through a so-called "cracking rig" to see how many passwords he could decrypt from the cache.

The results were not that surprising. The weaker passwords in use were terrible.

Pierce spent five automated days cracking as many passwords as he could before giving up at around 0.0006 percent of the entire cache. That's about 4,000 decrypted passwords in total.

The most common password was "123456," which scores a zero on the imagination scale, while, perhaps worse, "password" ranked in second place. (You can download the full list from Google Drive, where Pierce uploaded the data.)

In comparison to Adobe's data breach in 2013, which led to the release of 38 million Adobe usernames and passwords, the cracked AshleyMadison.com passwords are just as bad. That's because the most popular password for almost two million Adobe customers was also "123456." It seems lessons from the past weren't learned, because when Yahoo suffered a data breach in 2012, the same password, "123456," was top of the list.

It's worth noting in the AshleyMadison.com case, it's not clear based on the data which time period the passwords are from. It's possible that AshleyMadison.com allowed weaker passwords in its early days, and forced stronger passwords on sign up later on down the line.

There are a lot of variables at play. But there is a bottom line.

"Maybe these passwords were all throwaways," said Pierce. "It may also be infeasible to crack any given bcrypt password, but given enough users, it doesn't matter if passwords are bcrypted and salted, a ton of passwords are eventually going to pop out."

Editorial standards