Top 100 Ashley Madison Passwords Are As Weak As All The Rest

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
People sure do love basic number sequences, don’t they?

The top 10 Ashley Madison passwords are 123456, 12345, password, DEFAULT, 123456789, qwerty, 12345678, abc123, pussy, and 1234567. With the exception of choice number 9, the passwords look like they could have come from just about any site breach published over the past decade.
 
Not really much point in using hard to remember passwords when the hackers can easily steal them all from the company's servers.
 
The fact that we even have the passwords reveals just how weak AM's security was. What the hell were they using, MD5, SHA1, or some other nonsense hashing algorithm that was never meant for passwords? Should have used bcrypt. Not that it matters, since the names, email, and addresses were really what the hackers were after. But if anyone used the same password on AM as they did for their email account...... :eek:
 
Except...remember how the vast majority of accounts were likely fakes put there by the company? No reason to put a secure password on a junk account.
 
Meh,

I use strong passwords on important things, but there are so many throwaway accounts on useless sites which I don't care if they get compromised, I use the same weak-ass password on all of those.

It's impossible to commit a hundred different strong passwords to memory, and I refuse to go through the trouble of writing them down and looking them up :p
 
pwdhash all the way for me. at least that way if one of my accounts get hacked the password should still be pretty useles.

Still use different master password for mail, bank and other accounts just in case they break pwdhash
 
"what's your password"
"just the letter a"

from The Website Is Down - Sales Guy vs. Web Dude
 
ChoGGi said:
They did use bcrypt for the passwords, but the login tokens used md5.

"Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the md5 *snipped* tokens instead. Having cracked the token, we simply then had to case correct it against its bcrypt counterpart."
http://cynosureprime.blogspot.ca/2015/09/how-we-cracked-millions-of-ashley.html
Click to expand...

So it's basically like using the worlds most secure key, and then leaving the key under the doormat. Idiots.
 
Zarathustra[H];1041852294 said:
Meh,

I use strong passwords on important things, but there are so many throwaway accounts on useless sites which I don't care if they get compromised, I use the same weak-ass password on all of those.

It's impossible to commit a hundred different strong passwords to memory, and I refuse to go through the trouble of writing them down and looking them up :p
Click to expand...

keepass, don't have to write anything down and remember one hard password and make the rest random generated.. done
 
keep-ass, huh? :p Would have been perfect for Ashley Madison. :p

More seriously though, sounds like a pretty decent password manager, but what do you do when you are using a different machine that doesn't have your encrypted password database on it?
 
The Big Corp's would like to introduce you to something that is big fluffy and white! (i guess) :p
 
You must log in or register to reply here.
Back
Top