×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Top 50 Gawker Media Passwords

CmdrTaco posted more than 3 years ago | from the damn-they-guessed-mine dept.

Security 209

wiredmikey writes "Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: "123456." So is the runner-up: "password." On Sunday night, hackers posted online a trove of data from Gawker Media's servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

209 comments

Not Really Sold on the Correlations (4, Informative)

eldavojohn (898314) | more than 3 years ago | (#34546856)

I don't know about the graphs and statistics they generated from this. First of all, you don't know how many out of the total set of users were stolen and the ones that were decrypted were probably the obvious ones (via rainbow tables? was Gawker using salt?). Perhaps this adds a bit of slant to any statistics generated? Anyway:

A plurality of Gawker Media passwords are six characters long, but we wondered whether that and other results might differ based on the user’s email provider. Indeed, users of Google and Yahoo’s email services are more likely than Microsoft email users to have passwords of eight or more characters.

Well, Hotmail and Yahoo! require six characters or more and Google requires eight characters or more. Explains the Google/Microsoft difference anyway: People are lazy. While you're statements aren't false, I fail to see their confidence or usefulness. Or are we just trying to pat ourselves on the back for using Google and being part of the "elite?" The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack! Regardless of length! Take your pick, "unicorns" or "$r-P_5"?

Popular passwords vary, as well: Gmail users are bigger X-Files fans ("trustno1") and more likely to opt for the slightly clever variant "passw0rd."

Or you're just staring at random data trying to make something out of it. "Slightly clever variant"? Ha, well, whoever decrypted this passwords had that one in mind, you know that for sure. Anything even remotely clever would not show up in here.

Yahoo and Microsoft email users, meanwhile, are much more likely to get sappy with their passwords: "iloveyou."

Come on, one example leads to that kind of generalization?

Re:Not Really Sold on the Correlations (1)

initdeep (1073290) | more than 3 years ago | (#34546996)

google may require 8 characters now, but they havent always. i have 6 character passwords on several gmail accounts.

and another thing i'd like to point out.
just because a person uses an "easy" password for something as trivial as a "commenting" user login, doesnt mean they use the same type of password on something more important.
anyone who used/uses the gawker commenting system knows it's a heaving pile of shit, and that may lead people to utilize simpler passwords because they routinely cannot get the system to send them "forgotten password" emails in a timely manner.
Also, my guess is many people have set up sock accounts (noooo, that never happens on commenting systems) and these accounts may very well likely be the ones with "easy" passwords and they utilize "throw away" email accounts like yahoo and msn to create them.

Perfect example: (4, Interesting)

gcnaddict (841664) | more than 3 years ago | (#34547080)

One of my disposable passwords was exposed in the leak. (you can search the cracked list. my username is listed, along with a pass circa 2007)

and today after checking my lists, I realized that I used the same password on both Slashdot (frequented!) and Digg (haven't visited since v4). Whatever, I changed it on both of these sites. I didn't bother touching it on Gawker now that I know I can't trust them to actually understand password security.

Re:Perfect example: (1)

gcnaddict (841664) | more than 3 years ago | (#34547116)

I should've probably explained that it's a perfect example because that pass was one I used for sites such as these three (gizmodo, slashdot, digg) where losing the account wouldn't be terribly detrimental. Every other site for which I have an account uses a different pass per site.

Re:Perfect example: (1)

bhcompy (1877290) | more than 3 years ago | (#34547242)

Exactly. I have different classes of passwords for different classes of sites. If my easy Slashdot password is compromised, nothing of value is lost, and no one gets the password to my bank account in the process.

Re:Perfect example: (1)

JackieBrown (987087) | more than 3 years ago | (#34547686)

I use lastpass and have a random password generated for every site I visit. I don't even think about passwords anymore.

Re:Perfect example: (0)

clone52431 (1805862) | more than 3 years ago | (#34547236)

you can search the cracked list

Link please?

Re:Perfect example: (0)

clone52431 (1805862) | more than 3 years ago | (#34547356)

Never mind, I found it:

http://www.slate.com/id/2277768/ [slate.com]

Re:Perfect example: (4, Informative)

butalearner (1235200) | more than 3 years ago | (#34547566)

If you want to check yourself, head to this Google Fusion table [google.com]

Instructions are right there on the page, but you take the md5sum of your email address (e.g. "echo -n email@address.com | md5sum") and check it against the list (click "Show Options" and selected MD5 = . This doesn't mean your password was decrypted, but at the very least the encrypted version is out there. You can check this other Google Fusion table [google.com] for your password.

Re:Perfect example: (1)

butalearner (1235200) | more than 3 years ago | (#34547636)

check it against the list (click "Show Options" and select MD5 = [your md5 hash here]).

Fixed that for me.

Re:Perfect example: (0)

Anonymous Coward | more than 3 years ago | (#34547668)

Thanks - that is the link I needed. It's funny; I never trusted Gawker for some reason and never created an account. On the few occasions where I wanted to post something I used my Facebook login. It feels really odd to say this, but using facebook kept me more secure. My account is not part of the leak (I did check my facebook account there, but of course Gawker never knew the password on that account and it wasn't in the leak).

Re:Not Really Sold on the Correlations (1)

ThePhilips (752041) | more than 3 years ago | (#34547114)

just because a person uses an "easy" password for something as trivial as a "commenting" user login

And why the hell one needs a password to comment? To me that was always an overkill.

OpenID was poised to solve the problem (allowing single sign-on) and partially does that already. Yet still many sites do not support it - Gawker included.

Re:Not Really Sold on the Correlations (2)

PReDiToR (687141) | more than 3 years ago | (#34547214)

I'd rather have multiple passwords and this happening every few years than OpenID, for the record.

One leak of the OpenID db, one PFY with a grudge, one Swedish website later and we're all screwed.

Plus whoever owns OpenID knows every site you visit and the frequency.

Keep it.

Re:Not Really Sold on the Correlations (3, Informative)

Sancho (17056) | more than 3 years ago | (#34547396)

The beauty of Open ID is that anyone can run a provider. Even you.

The ugliness of it is that you log in with a URL (that's a paradigm shift for a lot of people). Ever seen Google's OpenID URL? https://www.google.com/accounts/o8/id [google.com] (and I can never remember if there's a trailing slash, so I often end up trying to log in twice.) And if the provider goes down, you're locked out of pretty much everything. Of course, that's a benefit, too. If someone breaks into your own OpenID server, you can pull the plug and they lose access to all of those accounts.

Re:Not Really Sold on the Correlations (4, Interesting)

AndrewNeo (979708) | more than 3 years ago | (#34547690)

That's what OpenID delegates are for. I have a page set up that I log in to OpenID sites with, and that page contains metatags to forward to the provider of my choice. Provider goes down, I can switch internally and never change my login URL.

Re:Not Really Sold on the Correlations (1)

ThePhilips (752041) | more than 3 years ago | (#34547416)

Plus whoever owns OpenID knows every site you visit and the frequency.

I'd take that - over maintaining manually a private DB with passwords.

I'd rather trust one (or few) OpenID provider(s), than hundreds of random people who run the dozens/hundreds sites I visit monthly. Both options have bunch of pros and cons - but at least the former has advantage of being convenient and non-obtrusive.

Re:Not Really Sold on the Correlations (1)

mlts (1038732) | more than 3 years ago | (#34547474)

An alternative is to use a throwaway OpenID account. However, why let people be able to get tracking data from one account with multiple sites? Might as well have a different, throwaway ID for every site, just because of the stupidity of having to register to see a print view or leave comments, and the registration process almost always demands a lot of personal information that isn't relevant. Why do websites demand addresses (and bother trying to check them), other than just trying to get more stuff to sell. In those cases, I just give them the address of USENET Central Administration [1] and continue on.

[1]: 1060 W Addison Street to be exact.

Re:Not Really Sold on the Correlations (2)

thePowerOfGrayskull (905905) | more than 3 years ago | (#34547554)

One leak of the OpenID db, one PFY with a grudge, one Swedish website later and we're all screwed. Plus whoever owns OpenID knows every site you visit and the frequency. Keep it.

The answer to all of those: just run your own [openid.net] - that way it's under your control from the start.

Re:Not Really Sold on the Correlations (1)

tlhIngan (30335) | more than 3 years ago | (#34547516)

And why the hell one needs a password to comment? To me that was always an overkill.

Because it otherwises kill all benefit to commenting.

A passwordless comment system is like SMTP today. Registration and CAPTCHAs help reduce a good chunk of spam, and brings it to a level that can be manually managed.

And sometimes, having an account gives you benefits, like remembering personal preferences (Gawker has some preferences like an avatar and your default comment view). But losing my account there would be more of an inconvenience so I use a simple password. Oddly though, I couldn't find my account on that Google tables list.

Re:Not Really Sold on the Correlations (1)

lupine (100665) | more than 3 years ago | (#34547272)

I had an account on Gawker, and my password was not very complicated, better than those listed, but still very simple. Why would I be so careless about login security? Because my Gawker account had no real information.

I signed up using a sneakemail.com temporary email address which has since been deleted so the only thing the hackers got was a junk email address and a junk password. No reason to secure something that is worthless.

Re:Not Really Sold on the Correlations (1)

mcgrew (92797) | more than 3 years ago | (#34547718)

anyone who used/uses the gawker commenting system knows it's a heaving pile of shit, and that may lead people to utilize simpler passwords because they routinely cannot get the system to send them "forgotten password" emails in a timely manner.

For most sites that demand a free user account to read the content, a strong password is idiotic; I use a string of 1s for most of them (newspapers are the worst offenders).

For my home PC and websites that I need security I have a long string of random characters that I keep written down; the lock on my front door is my security.

For my work PC I make it as strong as possible while easy for me to remember.

Re:Not Really Sold on the Correlations (0)

Anonymous Coward | more than 3 years ago | (#34547012)

Came here to say this. This is a stupid article. The ones "decrypted" were once that had known matches in hash databases. So of course you get a bunch of obvious ones!

Re:Not Really Sold on the Correlations (1)

konohitowa (220547) | more than 3 years ago | (#34547052)

You could have saved yourself a lot of analysis by rating the merits of the article from the first sentence. ;)

Re:Not Really Sold on the Correlations (1)

D Ninja (825055) | more than 3 years ago | (#34547306)

Well, Hotmail and Yahoo! require six characters or more and Google requires eight characters or more. Explains the Google/Microsoft difference anyway: People are lazy. While you're statements aren't false, I fail to see their confidence or usefulness. Or are we just trying to pat ourselves on the back for using Google and being part of the "elite?" The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack! Regardless of length! Take your pick, "unicorns" or "$r-P_5"?

Except, that's not entirely true. Yes, while people typically use very weak passwords, Gawker's mistake was that they used DES (WTF?) to encrypt their passwords. DES has been shown to be not strong enough for quite some time now. On top of that, Gawker did not handle passwords correctly in the first place. No salt. No hash. It was just one big screw up.

So, yes, people choose bad passwords, but that can only result in a small compromise (one account). In Gawker's case, they had the whole entire system compromised, and it was very easy to crack those passwords.

Re:Not Really Sold on the Correlations (1)

Sancho (17056) | more than 3 years ago | (#34547452)

There was a salt. That's why of the 1.2million accounts on Gawker, only about 200,000 passwords were recovered. It's looking like Gawker basically used crypt().

Re:Not Really Sold on the Correlations (1)

mlts (1038732) | more than 3 years ago | (#34547632)

Stuff like that is inexcusable. Basic stuff like doing a salt (128 bit minimum, 256 bits recommended), appending it to the password the user types in, then running both through a SHA-256 blender for a good number of rounds [1] is SOP for anything to be taken seriously these days.

Why do people keep forgetting the need for salts in password storage? Even the old BSD and SVR4 UNIX variants had salts and computation rounds in the old crypt (3) password storage before the days of /etc/shadow. It is a lot tougher to guess a password when one can't just use a precomputed rainbow table.

[1]: This can vary on the system. TrueCrypt uses 1000 rounds, iOS 4 uses 10,000 rounds. Preferably a number of rounds that doesn't add significant load to the server, but is good enough to slow down brute force attempts. One idea might just be to have the client do the password obtaining and send a decrypted token so the server doesn't have to waste CPU cycles.

Re:Not Really Sold on the Correlations (1)

Sancho (17056) | more than 3 years ago | (#34547728)

They were basically using crypt. There was, in fact, a salt (though not a good one.)

Also, Gawker switched to using bcrypt at some point, but since many people didn't change their passwords after the switch, they were still storing the old DES passwords.

Re:Not Really Sold on the Correlations (1)

AliasMarlowe (1042386) | more than 3 years ago | (#34547376)

The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack!

Not exactly. It does not mean that all of the passwords were "as strong" as each other. It means that all of them were weak enough to be broken by an attack of this strength. Some of the better ones might not have been cracked by a less capable attack.

Take your pick, "unicorns" or "$r-P_5"?

It's clear that the 8 character lower-case "unicorns" could be broken by a simple dictionary attack (maybe 20-ish bits of entropy), while the 6 character "$r-P_5" obviously would not. The latter would need a brute force across 6 characters, mixed case + numeric + special, about 80^6 possibilities or 38 bits of entropy (and rainbow tables would probably not help much). Both are indeed a bit too short to be considered strong, but one is clearly much weaker than the other.

If your point was that length alone does not give strength to passwords, you're preaching to the choir.

Re:Not Really Sold on the Correlations (3, Insightful)

PhrostyMcByte (589271) | more than 3 years ago | (#34547496)

The only thing this study shows is the most popular passwords used by people who don't care about security.

Good passwords will be reasonably unique. When you try to find the most common passwords, of course the bad ones will bubble up to the top, even if only a fraction of a percent of people use them. This list might be interesting, but it doesn't really show anything significant about Gawker's users.

Re:Not Really Sold on the Correlations (1)

kefkahax (915895) | more than 3 years ago | (#34547522)

Yes, definitely. They likely wanted to get their hacked information out fast. So, I doubt they let "John the Ripper" or anything else run for more than a few hours, and probably on a weaker character set like azAZ09. That would definitely obscure the results. I don't think it's a good sample to measure password security on. The same way, a few years ago, someone found a phisher's log file and posted it to full-disclosure. While that would give you more difficult passwords, the sample of users is questionable and not all of the passwords were real (you'd need to filter out the e-mails like fuck@phish.ers). Besides that, I assume that I'm not the only one that uses stronger passwords for say my server and my various e-mail addresses, than I use for any other service like facebook, gaming forums, etc..

one, two, three, four, five... (-1)

Anonymous Coward | more than 3 years ago | (#34546940)

... that's the same combination I have on my luggage!

My password (4, Funny)

Krneki (1192201) | more than 3 years ago | (#34546952)

I guess I'm the only one to use ****** .

Re:My password (0)

Anonymous Coward | more than 3 years ago | (#34547074)

I was just saying the other day how ****** was the best password, because if someone haxored your computer and found a text file with passwords that were all *****, one might assume you were using a the number of asterisks to remember default passwords of a certain length.

Re:My password (0)

Anonymous Coward | more than 3 years ago | (#34547212)

Some logins automatically put in a default number of asterisks so that you can't guess the password off of the number of asterisks.

Re:My password (1)

mlts (1038732) | more than 3 years ago | (#34547750)

The old Wizardry games on the Apple ][ would add a pseudo-random number of asterisks when typing in a character password. This way, if someone saw 8 asterisks, it could be a 2 character password, or longer. Since it was the same number of characters, one could use that to doublecheck if they had the right password typed as well.

Smarter security systems also follow this lead. So, "******" may not be "hunter2", but "1234".

Re:My password (5, Funny)

jimicus (737525) | more than 3 years ago | (#34547110)

I'm sure someone else must use hunter2

Re:My password (0)

Anonymous Coward | more than 3 years ago | (#34547248)

Yeah, gawker does, for their password salt. Highly secure.

Re:My password (4, Funny)

MacGyver2210 (1053110) | more than 3 years ago | (#34547294)

You know, it just shows up as ******* when you type hunter2. Slashdot automatically blocks your password if you type it.

Re:My password (3, Funny)

Tsunayoshi (789351) | more than 3 years ago | (#34547314)

wait, how did you know my pw?

Re:My password (1)

Anonymous Coward | more than 3 years ago | (#34547734)

er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw

So what? (2)

Frosty Piss (770223) | more than 3 years ago | (#34546968)

You know, it's not like Gawker is everyone's primary email account or has access to their bank records - it's entertainment. So honestly, what's the loss here? For me as a "user", very little. If I even care that much, I'll change my UID/Pass. But maybe, since it's probably a throwaway account anyway, I'll just sign up for a new one and move on.

Seriously, what are "hackers" going to do with my account? It's not even under my real name.

Re:So what? (1)

Nerdfest (867930) | more than 3 years ago | (#34547018)

Most people tend to use the same username and password for every site they register on, and their email.

Re:So what? (2)

Sloppy (14984) | more than 3 years ago | (#34547240)

Yes they tend to, but the top 50 are almost all counter-examples to that tendency. It's the bottom 100000 that you should worry about.

Re:So what? (0)

Anonymous Coward | more than 3 years ago | (#34547032)

Depends on whether you meticulously memorize or keep a record of dozens of passwords, each separate for every site you've ever signed up for, or if you use a handful of passwords for all sites. Now you have to go and change them all or risk one of your accounts being compromised.

Get a LIFE! (1, Insightful)

Frosty Piss (770223) | more than 3 years ago | (#34547090)

Depends on whether you meticulously memorize or keep a record of dozens of passwords...

No, I don't. I use the same password /UID for *EVERY* bullshit site that really doesn't matter that much but I want to see the "subscription" content. And yes, I don't care if people know the UID / PASS to the bullshit sites that really doesn't matter that much but I want to see the "subscription" content. Folks, it's Gawker. If you're stressing over the disclosure of your Gawker UID/PWD, you seriously need to get a life.

Re:So what? (1)

AnonChef (947738) | more than 3 years ago | (#34547058)

Unfortunately there is a very good chance many have used that same email/password combo on more important sites.

Re:So what? (1)

oldspewey (1303305) | more than 3 years ago | (#34547060)

Sadly, I know lots of people who use the same password for everything they do online. Lots of them provide their real first and last name when asked too, and have one single email address that they use for "verification" purposes everywhere they go. So that means a hacker who has your $ASININE_SOCIAL_SITE password now has a good shot at all your other passwords, and if they care to take the time to figure out your likely username (based on the real name you provided and the real email address you provided) they can go ahead and log in to Amazon and buy themselves a nice Christmas present.

Re:So what? (1)

dreamt (14798) | more than 3 years ago | (#34547128)

Exactly. Look at how many passwords were gizmodo or engadget. Its a useless account -- does anyone really care if someone is now able to post comments or get replies to a site like this. It shows that users have individual passwords for the sites, and probably good odds that they are using "real" passwords for sites that matter.

Here's what [Re:So what?] (1)

Geoffrey.landis (926948) | more than 3 years ago | (#34547336)

Seriously, what are "hackers" going to do with my account? It's not even under my real name.

In answer to your question: they will post links to spam and malware.

What this shows us (2)

word munger (550251) | more than 3 years ago | (#34546986)

This doesn't show how stupid people are about their passwords; quite the opposite. All you're using the password for is to comment on a stupid blog post. It's actually kind of interesting that a lot of people seem understand that concept and so don't spend a lot of time generating a secure password.

Re:What this shows us (1)

Amorymeltzer (1213818) | more than 3 years ago | (#34547218)

I don't think that's it, or at least, there's no way to draw that conclusion without seeing everyone's passwords for everything. Most people use the same password for most everything, tacking on a letter/number/upper case/symbol as required by certain sites. The only real creativity is in the workplace, at companies where passwords must be changed every [1-3] months and you cannot repeat. After about a year, you gotta start coming up with new concepts. That can never work for something like Gawker or Slashdot because, as you say, it's not vital, but that doesn't mean people are using an insecure password because they recognize the lower importance. Besides, that's like switching wallets when you have ten bucks or 200 on you.

Re:What this shows us (0)

Anonymous Coward | more than 3 years ago | (#34547656)

You can make a reasonable assumption of people's habits by running the list from a simple site against a few more important sites (banking, Amazon, eBay and the like). If you get a reasonably high hit rate you can say that people generally use the same weak passwords for important sites that they use for throwaway comment sites. Now that is a much more interesting news story, and the fact that they've not run with that story tells me they're either incredibly lazy or it was a non-issue (i.e. most people had better passwords elsewhere).

Re:What this shows us (1)

poetmatt (793785) | more than 3 years ago | (#34547480)

if your username + password lets people guess on anything, they're going to try it on every site that exists to try to exploit it.

so actually, yes, this does matter if you didn't take the proper steps to make it hard to identify the email address/username/etc used in the original registration.

Isn't it obvious? (2)

BStroms (1875462) | more than 3 years ago | (#34547020)

No matter how tech savvy the group of users, isn't it all but a given that most common passwords will be weak ones? There's always going to be a subset of users that just use simple passwords. More interesting would be a comparison of what percentage of the users had these weak passwords compared to other, less tech oriented sites.

Strong password are unique, weak passwords are not (2)

kiwix (1810960) | more than 3 years ago | (#34547022)

Of course the most common passwords are weak, the strong passwords are unique...

"the savviest on the Web" (0)

Anonymous Coward | more than 3 years ago | (#34547034)

Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web

Um... Using a web browser, lusting after phones, and reading about legal disputes between consumer electronics companies does not indicate that someone will choose a good password. If reading that junk is correlated with intelligence, surly that correlation is not positive.

2 characters?? (1)

TheL0ser (1955440) | more than 3 years ago | (#34547042)

I just skimmed TFA (sorry), and I saw the graph of length vs email provider. And there's a blip on the 2 character mark. How does a 2 character password get allowed?

I guess in a way it works, though. Who's going to guess a 2 character password to try to get into an account?

I use a stupid password for stupid sites (5, Interesting)

gurps_npc (621217) | more than 3 years ago | (#34547064)

When I create a profile for something like the Discovery Channel's forum, I don't care if someone hacks my account. It has no financial information and I am only using it to comment on Mythbusters.

The idea that a password is neccessary for such an account is idiotic. No one cares about hacking it (or if you do, then you have an unhealthy obsession with TV).

Gawker is a similar timewaster. Wasting your brain power to create/remember a good password for it is foolish.

I see nothing wrong with using "123456" or "password" for it. I am also pretty sure that most intelligent people that use stupid passwords for stupid web sites, don't use stupid passwords for their bank account or their primary email (but maybe for an email they feed to spammers that offer 'deals' if you give them your email.)

Re:I use a stupid password for stupid sites (2)

Attila Dimedici (1036002) | more than 3 years ago | (#34547328)

That is exactly what I was thinking. If for some reason I went to Gawker and registered an account, I would use a really easy, simple password because I don't care if someone hacks my account there. I'm not going to put any information in that account that you could use to hack my important accounts.

Re:I use a stupid password for stupid sites (2)

poetmatt (793785) | more than 3 years ago | (#34547498)

if there's an email address linked, then expect that email address to be tested across hundreds of sites and then they can rainbow attack sites that validate your email address (it's easy enough to do).

Basically, signing up with a legitimate email address is a huge mistake.

Re:I use a stupid password for stupid sites (1)

trollertron3000 (1940942) | more than 3 years ago | (#34547448)

Agreed, I have a "throw away" password I use for accounts I don't care about. I only use this password(s) on sites or apps I don't really care much about. My bank password on the other hand.. yeah good luck guessing that. Okay you got me, it's asstastic.

Re:I use a stupid password for stupid sites (1)

John Hasler (414242) | more than 3 years ago | (#34547580)

Wasting your brain power to create/remember a good password for it is foolish.

I find that typing "pwgen -s" and copying one of the random passwords that result requires very little of my brain power. Your brain may vary. Of course, I also write down all of my passwords[1]...

[1] Except my GPG passphrase, of course. That has never been written down anywhere.

What the hell does it matter? (1)

DNS-and-BIND (461968) | more than 3 years ago | (#34547092)

What the hell does it matter which password I use for a throwaway comment account on some website? Honestly. Oh noes, someone guessed my password...and...logged in as me? Big deal. "And nothing of value was lost"

I suppose there are those whose lives and self-worth are determined by the snarky and cruel comments they make online, but I suppose such persons would use a for their highly valuable commenting account, without which their lives would have no meaning. [impnerd.com]

Re:What the hell does it matter? (0)

Anonymous Coward | more than 3 years ago | (#34547494)

What the hell does it matter which password I use for a throwaway comment account on some website?

In that case, what's your slashdot password?

Relivant? Really? (0)

Anonymous Coward | more than 3 years ago | (#34547094)

I am not sure how useful this data is to be honest. Sure it is nice to glean some information regarding passwords, but the hotmail information was by far more useful. I protect my email passwords better than an account used to post comments. They have different passwords and if someone really gets a hold of my account for gawker, considering the only ID it is my is my email address, I am not too worried. So even if my password is 123456 it isn't a truely representative sample of what goes for important passwords.

Now if this was done for a bank, I'd love to see the results.

Different Passwords (1)

TheNinjaroach (878876) | more than 3 years ago | (#34547142)

I keep different passwords for my accounts based on their importance. Slashdot, Reddit, forums, IM, etc get a weaker password that's easier to remember.

Banks, insurance, work, email and the like get much stronger passwords.

If someone were to compromise my password on a less important site, who cares? I certainly don't.

How to interpret the data (1)

Junior J. Junior III (192702) | more than 3 years ago | (#34547146)

Ok, so we know there are a lot of accounts created for a public web site that have weak passwords.

Do we know that these accounts were "serious" accounts, and not throwaway accounts?

It could be, and likely is, that people don't care as much about securing their accounts as they should. It could also be that a lot of people needed to log in to gawker to access something one time, didn't plan to ever return, went through the account creation process with a throwaway password that they didn't care about, and then abandoned the account.

The proportion of people who are too stupid to own a computer is equal to the proportion of gawker users with weak passwords, less the number of throwaway accounts with weak passwords, divided by the total number of gawker users.

consider what was being "secured" (3, Insightful)

dAzED1 (33635) | more than 3 years ago | (#34547164)

I have a weak password I use at a lot of silly blog and news sites, short of two such sites (this one and fark...) that is just a trash thing. I don't use the same password at multiple places - duh - short of this weak password. I'm not going to remember dozens and dozens of passwords, and I don't put real info on that type of site anyway. I mean seriously...it's a celebrity gossip site. I just went there for probably the third time in my entire life, top story:
The golden couple of Disney breaks up on Vanessa's 22nd birthday. Katie Couric goes to a Bieber concert. Michael C. Hall divorces. Miley barters for her bong video with Macbooks. Tuesday gossip is always a trade-off.
I mean hell, I wouldn't even use my real name or my established nick on a site like that. What the hell does it matter what the password is, at that point? I very minimal amount of security simply to allow for a very minor amount of distinction between posters, but if it's lost...
Anyway, the passwords used there shouldn't really be held against someone - just sayin.

People still use "password"? (1)

KublaiKhan (522918) | more than 3 years ago | (#34547198)

Someone needs to build an open-source authenticator that provides strong (not DES, FFS) password-mangling, easy interoperability with most common systems, and which rejects, logs, and unleashes attack dogs on anyone who tries to use "password" as a credential.

Re:People still use "password"? (0)

Anonymous Coward | more than 3 years ago | (#34547512)

The best option is not to use services that asks for a password... I am posting as anonymous for obvious reasons...

Holy Crap (0, Redundant)

Anonymous Coward | more than 3 years ago | (#34547204)

- that's the combination to my luggage

Not the indicator of savvy (0)

Anonymous Coward | more than 3 years ago | (#34547208)

People may use crappy, easy to remember passwords on numerous news sites and blogs that they read. This doesn't tell anything about the quality of passwords the same people use on banking sites.
Posting anonymously for security reasons :)

Important things to note. (1)

Demonantis (1340557) | more than 3 years ago | (#34547228)

People that use msn and yahoo are lovers not haters and people that use gmail have a strange interest in cheese. On a side note, shouldn't the passwords be salted so they can't be brute-forced this easily. That is really the only thing that scares me. Everyone gets hacked. It just happens, but not having active damage mitigation beyond encrypting is just stupid especially simple ones like salting.

And the reason is (3, Interesting)

saikou (211301) | more than 3 years ago | (#34547296)

that people probably don't care if someone steals their "commenting" account password.
The only reason to create it in a first place was because they just wanted to show their nick.

I bet if someone checked Washington Post account database passwords, there'd be the same amount of "Blahblahs" and "F*ckoff123"

This is why I use tiered passwords. (3, Interesting)

gman003 (1693318) | more than 3 years ago | (#34547368)

I use a system I call "tiered passwords". Since there's no way I can remember 20+ unique passwords for all the things that require them, I split them into tiers. Bottom tier is stuff I really don't care if you steal - I use it for Imageshack, Gawker, /., etc. Middle tier is the more important ones - I don't like you using it, but it won't ruin my life if you get access. That's a slightly more complex password (9 characters instead of 6), and I use it for my user-level computer accounts, GMail, etc. Finally, my top-tier accounts are for things that would really be terrible if someone were to get access: my root account and my bank account. That's a 20-character password, pretty much uncrackable unless the NSA gets involved.

This way, I have damage control. If something gets compromised, it's not going to affect as much. Gawker gets hacked, I change my password for a dozen websites, but don't have to worry about my email being stolen or my bank account being drained. Likewise, if someone does manage to hijack my email account, I can tell people over Facebook that it happened, and not to trust that email address anymore. Yes, it's still not as secure as unique passwords for every site, but it's significantly easier on the memory.

Re:This is why I use tiered passwords. (1)

horza (87255) | more than 3 years ago | (#34547744)

Same system I used when I was younger. Nowhere near as good as using KeePassX [keepassx.org], which will run on nearly every OS, from USB, and on mobile phones. Each and every site login has a unique password, like "xY5C=r%|yH`", and when I want to log in I just select "copy password to clipboard" over the entry and paste in. Also helps avoid keyloggers. You have one master password, and simply make sure you back up your encrypted password file.

This way, if a site is compromised then it has no damage outside of that account.

Phillip.

I'm sure I can't be the only one thinking... (0)

Liam Pomfret (1737150) | more than 3 years ago | (#34547374)

...that there's an academic article or two to be written on this. A dataset like this would be particularly valuable to research on consumer privacy/security behaviours. Of course, that's assuming one could get it past the ethical review committee...

Dark Helmet (2)

e3m4n (947977) | more than 3 years ago | (#34547388)

Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

passwords inherently suck (1)

mattdm (1931) | more than 3 years ago | (#34547422)

Many people (not necessarily us super-smart slashdotters, but in the media and in general) appear to be taking the wrong lesson from this. This data breech shows that it doesn't really matter how good your password is if the list is not stored securely.

In this case, they were encoded with the flawed and ancient "crypt" method, which allowed the weakest passwords to be brute-forced very quickly. But there's plenty of CPU power out there, and rest assured that any stronger passwords wouldn't stand up to further scrutiny, no matter how many squiggly characters are included.

Because of this, people using weak passwords that they didn't use elsewhere ("lifehack" is a prime example) are certainly better off than someone who had a "strong" password used on multiple sites.

No Salt? (0)

Anonymous Coward | more than 3 years ago | (#34547518)

Make your password as complicated as you want, if the site is storing the passwords in plaintext or not salting its hash what difference does it make when the DB is exposed?

The more sensible users who know not to use the same password for commenting sites as say for example online banking will still be annoyed that their email address has been revealed to 1000s of spammers who will most likely value these over a list of passwords.

Bender says (1)

titanium93 (839011) | more than 3 years ago | (#34547562)

Where's Pimpmobile?

Also there is a starwars but no star trek?

Baseball beat Football

Football beat Soccer (redundant?)

Superman beat Batman

Jennifer beat Michelle

mo3 0p (-1)

Anonymous Coward | more than 3 years ago | (#34547564)

how it was suptposed

This means one thing: PLAINTEXT PASSWORDS! (1)

solaraddict (846558) | more than 3 years ago | (#34547726)

Exposing the password list implies that the passwords were actually stored, in plaintext. Wtf, what year do people think it is, 1241? Plaintext passwords == passwords stolen from you sooner or later. One would have thought that after all this time - and it's been a long time - they would have learned by now.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...