The worst passwords from hack to Ashley Madison

When hackers gained access to 36 millions accounts of Ashley Madison, a dating website, many were concerned and wanted to know what had been stolen.

A month after the breach was disclosed, the hackers released the first package of the stolen data data. Email addresses, passwords, and credit card transactions were leaked starting August 18. A few days later, more data surfaced, including: internal emails with the parent; company of the website, Avid Media Life.

The tens of millions of passwords, leaked from Ashley Madison's page, were encrypted, with bcrypt. Robert Graham security researcher at Errata Security, Reported on their blog, that the event was a "refreshing change." This means that users with strong passwords are "safe."

But we can not say the same about weak passwords.

Security expert Dean Pierce Reported how he managed to break the encryption of weak passwords with a "cracking rig."

The results should not surprise us. Using weak passwords on the site was terrible.

Pierce spent five days running an automated procedure of "cracking" passwords, and stopped at about 0,0006 percent of all leaked data. But that means 4.000 decrypted passwords.

The most common password was the well-known “123456”, while the also known “password” came in second. (You can download the full list from Google Drive, by Pierce.)

It is worth noting that in the case of Ashley Madison, it is not clear at what point in time the data with the passwords leaked. It is likely that the website allowed weak passwords in the first days of its operation, and later required stronger when signing up for the site. .

“It may also be impossible to break any password with bcrypt, but given that many users use weak passwords, it doesn't matter if the passwords are bcrypted and salted. Some will break. ”

See the worst passwords from Ashley Madison's hack