Slashdot Mirror
The Top 50 Gawker Media Passwords
wiredmikey writes "Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: "123456." So is the runner-up: "password." On Sunday night, hackers posted online a trove of data from Gawker Media's servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords."
A plurality of Gawker Media passwords are six characters long, but we wondered whether that and other results might differ based on the user’s email provider. Indeed, users of Google and Yahoo’s email services are more likely than Microsoft email users to have passwords of eight or more characters.
Well, Hotmail and Yahoo! require six characters or more and Google requires eight characters or more. Explains the Google/Microsoft difference anyway: People are lazy. While you're statements aren't false, I fail to see their confidence or usefulness. Or are we just trying to pat ourselves on the back for using Google and being part of the "elite?" The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack! Regardless of length! Take your pick, "unicorns" or "$r-P_5"?
Popular passwords vary, as well: Gmail users are bigger X-Files fans ("trustno1") and more likely to opt for the slightly clever variant "passw0rd."
Or you're just staring at random data trying to make something out of it. "Slightly clever variant"? Ha, well, whoever decrypted this passwords had that one in mind, you know that for sure. Anything even remotely clever would not show up in here.
Yahoo and Microsoft email users, meanwhile, are much more likely to get sappy with their passwords: "iloveyou."
Come on, one example leads to that kind of generalization?
My work here is dung.
What a coincidence! That's the combination to the airlock protecting the planet!
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
I have to change the password on my luggage.
I guess I'm the only one to use ****** .
Love many, trust a few, do harm to none.
I have to change the password on my luggage.
Don't worry about it; I took the lock also.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You know, it's not like Gawker is everyone's primary email account or has access to their bank records - it's entertainment. So honestly, what's the loss here? For me as a "user", very little. If I even care that much, I'll change my UID/Pass. But maybe, since it's probably a throwaway account anyway, I'll just sign up for a new one and move on.
Seriously, what are "hackers" going to do with my account? It's not even under my real name.
If you want news from today, you have to come back tomorrow.
This doesn't show how stupid people are about their passwords; quite the opposite. All you're using the password for is to comment on a stupid blog post. It's actually kind of interesting that a lot of people seem understand that concept and so don't spend a lot of time generating a secure password.
ScienceSeeker.org
No matter how tech savvy the group of users, isn't it all but a given that most common passwords will be weak ones? There's always going to be a subset of users that just use simple passwords. More interesting would be a comparison of what percentage of the users had these weak passwords compared to other, less tech oriented sites.
Of course the most common passwords are weak, the strong passwords are unique...
Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web
Um... Using a web browser, lusting after phones, and reading about legal disputes between consumer electronics companies does not indicate that someone will choose a good password. If reading that junk is correlated with intelligence, surly that correlation is not positive.
I guess in a way it works, though. Who's going to guess a 2 character password to try to get into an account?
The idea that a password is neccessary for such an account is idiotic. No one cares about hacking it (or if you do, then you have an unhealthy obsession with TV).
Gawker is a similar timewaster. Wasting your brain power to create/remember a good password for it is foolish.
I see nothing wrong with using "123456" or "password" for it. I am also pretty sure that most intelligent people that use stupid passwords for stupid web sites, don't use stupid passwords for their bank account or their primary email (but maybe for an email they feed to spammers that offer 'deals' if you give them your email.)
excitingthingstodo.blogspot.com
One of my disposable passwords was exposed in the leak. (you can search the cracked list. my username is listed, along with a pass circa 2007)
and today after checking my lists, I realized that I used the same password on both Slashdot (frequented!) and Digg (haven't visited since v4). Whatever, I changed it on both of these sites. I didn't bother touching it on Gawker now that I know I can't trust them to actually understand password security.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Depends on whether you meticulously memorize or keep a record of dozens of passwords...
No, I don't. I use the same password /UID for *EVERY* bullshit site that really doesn't matter that much but I want to see the "subscription" content. And yes, I don't care if people know the UID / PASS to the bullshit sites that really doesn't matter that much but I want to see the "subscription" content. Folks, it's Gawker. If you're stressing over the disclosure of your Gawker UID/PWD, you seriously need to get a life.
If you want news from today, you have to come back tomorrow.
What the hell does it matter which password I use for a throwaway comment account on some website? Honestly. Oh noes, someone guessed my password...and...logged in as me? Big deal. "And nothing of value was lost"
I suppose there are those whose lives and self-worth are determined by the snarky and cruel comments they make online, but I suppose such persons would use a for their highly valuable commenting account, without which their lives would have no meaning.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
I am not sure how useful this data is to be honest. Sure it is nice to glean some information regarding passwords, but the hotmail information was by far more useful. I protect my email passwords better than an account used to post comments. They have different passwords and if someone really gets a hold of my account for gawker, considering the only ID it is my is my email address, I am not too worried. So even if my password is 123456 it isn't a truely representative sample of what goes for important passwords.
Now if this was done for a bank, I'd love to see the results.
http://www.bash.org/?244321
Blessed is he who expects the worst, for he shall not be disappointed.
I keep different passwords for my accounts based on their importance. Slashdot, Reddit, forums, IM, etc get a weaker password that's easier to remember.
Banks, insurance, work, email and the like get much stronger passwords.
If someone were to compromise my password on a less important site, who cares? I certainly don't.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Ok, so we know there are a lot of accounts created for a public web site that have weak passwords.
Do we know that these accounts were "serious" accounts, and not throwaway accounts?
It could be, and likely is, that people don't care as much about securing their accounts as they should. It could also be that a lot of people needed to log in to gawker to access something one time, didn't plan to ever return, went through the account creation process with a throwaway password that they didn't care about, and then abandoned the account.
The proportion of people who are too stupid to own a computer is equal to the proportion of gawker users with weak passwords, less the number of throwaway accounts with weak passwords, divided by the total number of gawker users.
You see? You see? Your stupid minds! Stupid! Stupid!
I have a weak password I use at a lot of silly blog and news sites, short of two such sites (this one and fark...) that is just a trash thing. I don't use the same password at multiple places - duh - short of this weak password. I'm not going to remember dozens and dozens of passwords, and I don't put real info on that type of site anyway. I mean seriously...it's a celebrity gossip site. I just went there for probably the third time in my entire life, top story:
The golden couple of Disney breaks up on Vanessa's 22nd birthday. Katie Couric goes to a Bieber concert. Michael C. Hall divorces. Miley barters for her bong video with Macbooks. Tuesday gossip is always a trade-off.
I mean hell, I wouldn't even use my real name or my established nick on a site like that. What the hell does it matter what the password is, at that point? I very minimal amount of security simply to allow for a very minor amount of distinction between posters, but if it's lost...
Anyway, the passwords used there shouldn't really be held against someone - just sayin.
Someone needs to build an open-source authenticator that provides strong (not DES, FFS) password-mangling, easy interoperability with most common systems, and which rejects, logs, and unleashes attack dogs on anyone who tries to use "password" as a credential.
In Xanadu did Kubla Khan
A stately pleasure dome decree
- that's the combination to my luggage
People may use crappy, easy to remember passwords on numerous news sites and blogs that they read. This doesn't tell anything about the quality of passwords the same people use on banking sites. :)
Posting anonymously for security reasons
People that use msn and yahoo are lovers not haters and people that use gmail have a strange interest in cheese. On a side note, shouldn't the passwords be salted so they can't be brute-forced this easily. That is really the only thing that scares me. Everyone gets hacked. It just happens, but not having active damage mitigation beyond encrypting is just stupid especially simple ones like salting.
What gets me is how many people used "Michael," "Michelle", and "Jordan". Why are those three names so popular for passwords?
Common Sense isn't as Common as people think...
that's the same reply i use on my luggage!
that people probably don't care if someone steals their "commenting" account password.
The only reason to create it in a first place was because they just wanted to show their nick.
I bet if someone checked Washington Post account database passwords, there'd be the same amount of "Blahblahs" and "F*ckoff123"
Hyperom.com
Most people tend to use the same username and password for every site they register on, and their email.
Obligitory xkcd here: xkcd.com/972
http://www.geoffreylandis.com
Seriously, what are "hackers" going to do with my account? It's not even under my real name.
In answer to your question: they will post links to spam and malware.
http://www.geoffreylandis.com
I use a system I call "tiered passwords". Since there's no way I can remember 20+ unique passwords for all the things that require them, I split them into tiers. Bottom tier is stuff I really don't care if you steal - I use it for Imageshack, Gawker, /., etc. Middle tier is the more important ones - I don't like you using it, but it won't ruin my life if you get access. That's a slightly more complex password (9 characters instead of 6), and I use it for my user-level computer accounts, GMail, etc. Finally, my top-tier accounts are for things that would really be terrible if someone were to get access: my root account and my bank account. That's a 20-character password, pretty much uncrackable unless the NSA gets involved.
This way, I have damage control. If something gets compromised, it's not going to affect as much. Gawker gets hacked, I change my password for a dozen websites, but don't have to worry about my email being stolen or my bank account being drained. Likewise, if someone does manage to hijack my email account, I can tell people over Facebook that it happened, and not to trust that email address anymore. Yes, it's still not as secure as unique passwords for every site, but it's significantly easier on the memory.
Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web...
What are you basing that on?
...that there's an academic article or two to be written on this. A dataset like this would be particularly valuable to research on consumer privacy/security behaviours. Of course, that's assuming one could get it past the ethical review committee...
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Many people (not necessarily us super-smart slashdotters, but in the media and in general) appear to be taking the wrong lesson from this. This data breech shows that it doesn't really matter how good your password is if the list is not stored securely.
In this case, they were encoded with the flawed and ancient "crypt" method, which allowed the weakest passwords to be brute-forced very quickly. But there's plenty of CPU power out there, and rest assured that any stronger passwords wouldn't stand up to further scrutiny, no matter how many squiggly characters are included.
Because of this, people using weak passwords that they didn't use elsewhere ("lifehack" is a prime example) are certainly better off than someone who had a "strong" password used on multiple sites.
Make your password as complicated as you want, if the site is storing the passwords in plaintext or not salting its hash what difference does it make when the DB is exposed?
The more sensible users who know not to use the same password for commenting sites as say for example online banking will still be annoyed that their email address has been revealed to 1000s of spammers who will most likely value these over a list of passwords.
Also there is a starwars but no star trek?
Baseball beat Football
Football beat Soccer (redundant?)
Superman beat Batman
Jennifer beat Michelle
Sigs are for losers
Exposing the password list implies that the passwords were actually stored, in plaintext. Wtf, what year do people think it is, 1241? Plaintext passwords == passwords stolen from you sooner or later. One would have thought that after all this time - and it's been a long time - they would have learned by now.
This is why I use LastPass to manage my passwords. I have one, completely randomly-generated password per site.
When you force users to make Yet Another Account.
is there something important in a gawker account? Most of these accounts are a formality used to access the site. Usually when a news site asks me to sign up for an account, i put in some bogus information and an easy password. what are people going to do? log in and read articles under a name that nobody attributes to me anyway? um.....
I wonder wether the list is just anonymised or anonymised AND censored.
God, this joke is really, *really* old. Yes, we know this is a password thread, but this doesn't mean we have to pull out an overused movie reference every time we have one.
I'm not sure that follows.
If "strong" is defined as "this cracking software takes an ungodly amount of time to guess it," it's possible that a plurality of some tech-savvy community could have the same otherwise-random string of characters. Unlikely, but possible.
If only 200k of 1000k passwords were cracked, there's still the potential of some strong password being the most popular.
Similar analysis here.
The fact that passwords like "12345" and "password" are the most comment on websites like Gawker (and rockyou) is simply evidence that:
1. People don't care about their accounts on these systems. It's okay if somebody takes it over.
2. People don't want to use their good passwords on these systems, because they know that these companies have poor security passwords.
(Yes, I really am Simson Garfinkel)
I got an email from Gawker saying that my password was compromised and that I should change it. I don't even remember signing up for that website... Either I forgot... or my main email account has been compromised?
There are hundreds of websites that insist that I get an 'account' in order to use their intended functionality.
There is no way I can remember hundreds of different, secure passwords. Actually, there is no way to even reasonably remember my username if my 'default' one is occasionally taken on some websites.
Ergo, on sites such as gawker a trivial password should be used. Like, say, '123456'. And I still would have trouble logging in - I'd have to try 1-3 usernames until I find the one that works, and it's quite possible that I had created a couple other user accounts there some years ago but just forgotten about them, and after a few reinstalls and changed computers, the computer doesn't remember it either.
There is no way ever how I would have a secure password on something like gawker. Actually gawker shouldn't in any way require or expect the passwords to be secure. Noone should, except if you really, truly believe that your site has something that's worth enough for people to take seriously. Well, banks could do that. Maybe paypal. And maybe these who believe that they running most of your life, such as facebook or google. But 99% of the sites that require logins - you're just kidding yourself.
My memory capacity allows to reliably remember something like 3 decent, periodically changeable passwords. Two are taken up for work purposes, one is for my gmail/googleapps account. Your site most likely is not important at all, and if your password criteria disallows my usual 7-letter alphanumeric password that's the same for a hundred websites, then f*** you, i'll probably just click on the password reset link if I encounter your site and my browser doesn't log me in automatically. No forum or shopping site or 'community' or blog or game site or news site like slashdot is worth the mindspace to think about secure passwords.
You're forgetting something here: your email can be used to reset your other passwords.
In other words, your email password might as well be a master password. Please treat it as "top tier" and be more watchful, or you're in for a nasty surprise if a clever attacker uses it to take over your other accounts.
Statistically this makes sense since as, even if only 10 people have this password, that's 9 more people that have a password of, say, "we2iru0sdfnsf283fsv72nfkdflhasdfj". Regardless of password strength and regardless of how strong of passwords Gawker requires its users to have, simplicity will always win the "top passwords" award. This is because it is hard for a complicated password to be replicated by multiple users. In other words, this article only gives me a starting point (which I can similarly find elsewhere on the internet) of passwords to try if I wanted to hack a Gawker (or any other) site.
My old account I never remembered the info for was in that list. I made the mistake of resetting my password before trying to guess some of the old account possibilities.
I know its not the same password I use for anything too important (email, banking, etc), but I'd still like to know what password is in that list.
Does anyone know how to des encrypt a password the way gawker does so that I can compare some passwords I might have used to the one in that list?
download John The Ripper, and use the command "john --format=DES mypass.txt", where mypass.txt is a file containing "jsmith::1001:1000:Joe Smith,Room 1007,(234)555-8910,(234)555-0044,email:/hom". Obtain your pw hash from the torrented file obviously.
I had the same problem, and found mine in 3 hours and 39 minutes -- DES is just plain easy to crack. Then had to spend a few more hours changing that password on ~50 forums and news sites.
Whoops, the mypass.txt got mangled.. It should contain "jsmith:(your PW hash here):1001:1000:Joe Smith,Room 1007,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/sh"
of every damn site now needing a login to do anything.
Shopping sites are the worse, no I don't need an account, I want to buy this one item from you, oh no google checkout or paypal...well I'll go else where then.
----- I refuse to have an argument with an unarmed person
metrix007 is pissed about this http://yro.slashdot.org/comments.pl?sid=1888084&cid=34462614 where he blundered on hosts files. metrix007 got played. He played himself badly due to his skimming!