Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Top 50 Gawker Media Passwords

Posted by CmdrTaco on from the damn-they-guessed-mine dept.

wiredmikey writes "Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: "123456." So is the runner-up: "password." On Sunday night, hackers posted online a trove of data from Gawker Media's servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords."

30 of 209 comments (clear)

  1. Not Really Sold on the Correlations by eldavojohn · · Score: 4, Informative
    I don't know about the graphs and statistics they generated from this. First of all, you don't know how many out of the total set of users were stolen and the ones that were decrypted were probably the obvious ones (via rainbow tables? was Gawker using salt?). Perhaps this adds a bit of slant to any statistics generated? Anyway:

    A plurality of Gawker Media passwords are six characters long, but we wondered whether that and other results might differ based on the user’s email provider. Indeed, users of Google and Yahoo’s email services are more likely than Microsoft email users to have passwords of eight or more characters.

    Well, Hotmail and Yahoo! require six characters or more and Google requires eight characters or more. Explains the Google/Microsoft difference anyway: People are lazy. While you're statements aren't false, I fail to see their confidence or usefulness. Or are we just trying to pat ourselves on the back for using Google and being part of the "elite?" The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack! Regardless of length! Take your pick, "unicorns" or "$r-P_5"?

    Popular passwords vary, as well: Gmail users are bigger X-Files fans ("trustno1") and more likely to opt for the slightly clever variant "passw0rd."

    Or you're just staring at random data trying to make something out of it. "Slightly clever variant"? Ha, well, whoever decrypted this passwords had that one in mind, you know that for sure. Anything even remotely clever would not show up in here.

    Yahoo and Microsoft email users, meanwhile, are much more likely to get sappy with their passwords: "iloveyou."

    Come on, one example leads to that kind of generalization?

    --
    My work here is dung.
    1. Re:Not Really Sold on the Correlations by PReDiToR · · Score: 2

      I'd rather have multiple passwords and this happening every few years than OpenID, for the record.

      One leak of the OpenID db, one PFY with a grudge, one Swedish website later and we're all screwed.

      Plus whoever owns OpenID knows every site you visit and the frequency.

      Keep it.

      --

      Do not meddle in the affairs of geeks for they are subtle and quick to anger
    2. Re:Not Really Sold on the Correlations by Sancho · · Score: 3, Informative

      The beauty of Open ID is that anyone can run a provider. Even you.

      The ugliness of it is that you log in with a URL (that's a paradigm shift for a lot of people). Ever seen Google's OpenID URL? https://www.google.com/accounts/o8/id (and I can never remember if there's a trailing slash, so I often end up trying to log in twice.) And if the provider goes down, you're locked out of pretty much everything. Of course, that's a benefit, too. If someone breaks into your own OpenID server, you can pull the plug and they lose access to all of those accounts.

    3. Re:Not Really Sold on the Correlations by PhrostyMcByte · · Score: 3, Insightful

      The only thing this study shows is the most popular passwords used by people who don't care about security.

      Good passwords will be reasonably unique. When you try to find the most common passwords, of course the bad ones will bubble up to the top, even if only a fraction of a percent of people use them. This list might be interesting, but it doesn't really show anything significant about Gawker's users.

    4. Re:Not Really Sold on the Correlations by thePowerOfGrayskull · · Score: 2

      One leak of the OpenID db, one PFY with a grudge, one Swedish website later and we're all screwed. Plus whoever owns OpenID knows every site you visit and the frequency. Keep it.

      The answer to all of those: just run your own - that way it's under your control from the start.

    5. Re:Not Really Sold on the Correlations by AndrewNeo · · Score: 4, Interesting

      That's what OpenID delegates are for. I have a page set up that I log in to OpenID sites with, and that page contains metatags to forward to the provider of my choice. Provider goes down, I can switch internally and never change my login URL.

  2. 123456? by oodaloop · · Score: 4, Funny

    What a coincidence! That's the combination to the airlock protecting the planet!

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  3. Please excuse me for a moment by arcite · · Score: 3, Funny

    I have to change the password on my luggage.

  4. My password by Krneki · · Score: 4, Funny

    I guess I'm the only one to use ****** .

    --
    Love many, trust a few, do harm to none.
    1. Re:My password by jimicus · · Score: 5, Funny

      I'm sure someone else must use hunter2

    2. Re:My password by MacGyver2210 · · Score: 4, Funny

      You know, it just shows up as ******* when you type hunter2. Slashdot automatically blocks your password if you type it.

      --
      If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
    3. Re:My password by Tsunayoshi · · Score: 3, Funny

      wait, how did you know my pw?

      --
      "Get a bicycle. You will not regret it, if you live." - Mark Twain, "Taming the Bicycle"
  5. So what? by Frosty+Piss · · Score: 2

    You know, it's not like Gawker is everyone's primary email account or has access to their bank records - it's entertainment. So honestly, what's the loss here? For me as a "user", very little. If I even care that much, I'll change my UID/Pass. But maybe, since it's probably a throwaway account anyway, I'll just sign up for a new one and move on.

    Seriously, what are "hackers" going to do with my account? It's not even under my real name.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:So what? by Sloppy · · Score: 2

      Yes they tend to, but the top 50 are almost all counter-examples to that tendency. It's the bottom 100000 that you should worry about.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  6. What this shows us by word+munger · · Score: 2

    This doesn't show how stupid people are about their passwords; quite the opposite. All you're using the password for is to comment on a stupid blog post. It's actually kind of interesting that a lot of people seem understand that concept and so don't spend a lot of time generating a secure password.

    --
    ScienceSeeker.org
    1. Re:What this shows us by Darinbob · · Score: 2

      Very interesting too that these passwords were obtained by decrypting the password file. So if you had a very complex and secure password, these guys now know what it is. If you used that same password on a site you care about, maybe with a different digit on the end, you've potentially lost a bit of security elsewhere. But if your password on gawker sites was "password" and you only used that on other fluffy sites, then you haven't lost that much.

  7. Isn't it obvious? by BStroms · · Score: 2

    No matter how tech savvy the group of users, isn't it all but a given that most common passwords will be weak ones? There's always going to be a subset of users that just use simple passwords. More interesting would be a comparison of what percentage of the users had these weak passwords compared to other, less tech oriented sites.

  8. Strong password are unique, weak passwords are not by kiwix · · Score: 2

    Of course the most common passwords are weak, the strong passwords are unique...

  9. I use a stupid password for stupid sites by gurps_npc · · Score: 5, Interesting
    When I create a profile for something like the Discovery Channel's forum, I don't care if someone hacks my account. It has no financial information and I am only using it to comment on Mythbusters.

    The idea that a password is neccessary for such an account is idiotic. No one cares about hacking it (or if you do, then you have an unhealthy obsession with TV).

    Gawker is a similar timewaster. Wasting your brain power to create/remember a good password for it is foolish.

    I see nothing wrong with using "123456" or "password" for it. I am also pretty sure that most intelligent people that use stupid passwords for stupid web sites, don't use stupid passwords for their bank account or their primary email (but maybe for an email they feed to spammers that offer 'deals' if you give them your email.)

    --
    excitingthingstodo.blogspot.com
    1. Re:I use a stupid password for stupid sites by Attila+Dimedici · · Score: 2

      That is exactly what I was thinking. If for some reason I went to Gawker and registered an account, I would use a really easy, simple password because I don't care if someone hacks my account there. I'm not going to put any information in that account that you could use to hack my important accounts.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    2. Re:I use a stupid password for stupid sites by poetmatt · · Score: 2

      if there's an email address linked, then expect that email address to be tested across hundreds of sites and then they can rainbow attack sites that validate your email address (it's easy enough to do).

      Basically, signing up with a legitimate email address is a huge mistake.

    3. Re:I use a stupid password for stupid sites by GIL_Dude · · Score: 2

      So, in your example, let's say you "don't care" that your account on Discovery's MythBusters forum is compromised and don't bother to change your password. Now "you" (or rather your account) threatens Grant, stalks Kary, and requests myths about gay midgets child porn. Now, obviously you didn't do it yourself. But it could make your life uncomfortable for awhile.

      I do hope that all of the folks (not just the OP - there are many in this thread) that are saying "it doesn't matter, I'll just get another account if I want to use the service again." think about this and take steps to get the password changed or the account deleted.

  10. Perfect example: by gcnaddict · · Score: 4, Interesting

    One of my disposable passwords was exposed in the leak. (you can search the cracked list. my username is listed, along with a pass circa 2007)

    and today after checking my lists, I realized that I used the same password on both Slashdot (frequented!) and Digg (haven't visited since v4). Whatever, I changed it on both of these sites. I didn't bother touching it on Gawker now that I know I can't trust them to actually understand password security.

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
    1. Re:Perfect example: by butalearner · · Score: 4, Informative

      If you want to check yourself, head to this Google Fusion table

      Instructions are right there on the page, but you take the md5sum of your email address (e.g. "echo -n email@address.com | md5sum") and check it against the list (click "Show Options" and selected MD5 = . This doesn't mean your password was decrypted, but at the very least the encrypted version is out there. You can check this other Google Fusion table for your password.

    2. Re:Perfect example: by Anonymous Coward · · Score: 2, Informative

      All my porn site passwords only use keys on the left side of the keyboard only so I can type them quickly one-handed.

  11. consider what was being "secured" by dAzED1 · · Score: 3, Insightful

    I have a weak password I use at a lot of silly blog and news sites, short of two such sites (this one and fark...) that is just a trash thing. I don't use the same password at multiple places - duh - short of this weak password. I'm not going to remember dozens and dozens of passwords, and I don't put real info on that type of site anyway. I mean seriously...it's a celebrity gossip site. I just went there for probably the third time in my entire life, top story:
    The golden couple of Disney breaks up on Vanessa's 22nd birthday. Katie Couric goes to a Bieber concert. Michael C. Hall divorces. Miley barters for her bong video with Macbooks. Tuesday gossip is always a trade-off.
    I mean hell, I wouldn't even use my real name or my established nick on a site like that. What the hell does it matter what the password is, at that point? I very minimal amount of security simply to allow for a very minor amount of distinction between posters, but if it's lost...
    Anyway, the passwords used there shouldn't really be held against someone - just sayin.

  12. And the reason is by saikou · · Score: 3, Interesting

    that people probably don't care if someone steals their "commenting" account password.
    The only reason to create it in a first place was because they just wanted to show their nick.

    I bet if someone checked Washington Post account database passwords, there'd be the same amount of "Blahblahs" and "F*ckoff123"

    --
    Hyperom.com
  13. This is why I use tiered passwords. by gman003 · · Score: 3, Interesting

    I use a system I call "tiered passwords". Since there's no way I can remember 20+ unique passwords for all the things that require them, I split them into tiers. Bottom tier is stuff I really don't care if you steal - I use it for Imageshack, Gawker, /., etc. Middle tier is the more important ones - I don't like you using it, but it won't ruin my life if you get access. That's a slightly more complex password (9 characters instead of 6), and I use it for my user-level computer accounts, GMail, etc. Finally, my top-tier accounts are for things that would really be terrible if someone were to get access: my root account and my bank account. That's a 20-character password, pretty much uncrackable unless the NSA gets involved.

    This way, I have damage control. If something gets compromised, it's not going to affect as much. Gawker gets hacked, I change my password for a dozen websites, but don't have to worry about my email being stolen or my bank account being drained. Likewise, if someone does manage to hijack my email account, I can tell people over Facebook that it happened, and not to trust that email address anymore. Yes, it's still not as secure as unique passwords for every site, but it's significantly easier on the memory.

    1. Re:This is why I use tiered passwords. by clone52431 · · Score: 2

      I just select "copy password to clipboard" over the entry and paste in. Also helps avoid keyloggers.

      A keylogger that doesn’t monitor the clipboard? Lame...

      --
      Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
  14. Dark Helmet by e3m4n · · Score: 2

    Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!