The recent hack of fembot dating extramarital affairs website Ashley Madison, which resulted in data from millions of accounts being dumped online, has one more salutary yet familiar lesson to deliver: even very well encrypted stupid passwords are still stupid.
While plenty of aspects of Ashley Madison’s business and operations have raised eyebrows, the firm did apparently use robust and respected encryption for its user passwords. But even bcrypt-hashed passwords can be cracked if the user choses a stupid password, like, er, password. Or 123456.
Yep, you can see where this is going…
Sure enough, after about two weeks running password cracking utility, hashcat, on the first million passwords from the Ashley Madison database of ~36 million bcrypt-hashed passwords, security firm Avast has been able to crack 25,393 unique hashes — out of which it says there were 1,064 unique passwords.
To be clear: that’s unique passwords as in ‘different from the other cracked passwords it’s been able to crack so far’, rather than ‘what an amazing password! that’s so super complex it’s probably uncrackable!’.
The firm has been using two known-password lists for the crack: The Top 500 Worst Passwords of All Time (which dates from 2008); and the 14 million password list that spilled out of the 2009 RockYou hack.
Out of the data it’s been able to crack so far it says the top 20 ranked Ashley Madison passwords are as follows…
- 123456
- password
- 12345
- 12345678
- qwerty
- pussy
- secret
- dragon
- welcome
- ginger
- sparky
- helpme
- blowjob
- nicole
- justin
- camaro
- johnson
- yamaha
- midnight
- chris
No surprises there then. Except perhaps why so many Nicoles?
Remember the above password list is only derived from a sub-set of those first million Ashley Madison passwords, which may be more likely to have been created earlier in the site’s history — it launched circa 2001 so the first million could reflect some pretty vintage password thinking. Or not.
Arguably the last one million passwords compared with the first million might be a more interesting test of the data — to see if humans have got any better at creating passwords over the past ~15 years. Albeit Avast stresses it is supposing that the password database was sorted chronologically, so “cannot 100% confirm” either way.
One thing remains perennially clear: humans’ first impulse is to create a password they’re sure they’ll remember, so stupid passwords are basically a timeless expression of the storage limitations of the human brain. Fixing that requires A) some other technology and B) whatever it is has to be implemented in such a way that using it is less effort than recalling and typing 123456.