

Top 250 cracked Gawker passwords - m0tive
http://www.duosecurity.com/docs/top250gawker.txt

======
ramanujam
I think more than four thousand people are not dumb enough to set '123456' or
'password' as their password. I assume that a good percentage of that would
for throwaway accounts and the users would be aware of the implications.

If i want to post a comment on a lifehacker blog post, there is a decent
chance that i give some random string and 123456 as the username and password.
This is the case when i know that i won't be using it again. True that an
email is associated with the login credentials but still this might be true
for many of those passwords.

~~~
eli
Yup, I think one of those "password"s is mine. I truly couldn't care less
about the security of my Gawker account. If they eliminated the password field
entirely and just let people type whatever username they want, it'd be fine
with me.

------
bjonathan
70 => 11235813

I am curious is there a particular reason behind the fact that 70 people
choosed that number for their password?

This number seems completely random to me so I dont understand the how and the
why.

~~~
atuladhar
Not sure if you were being sarcastic, but those are the beginning terms of the
Fibonacci sequence[1], without the leading zero.

[1] <http://en.wikipedia.org/wiki/Fibonacci_sequence>

~~~
corin_
My favourite thing about this is how those 70 users must have been feeling
quite smug and superior about how they chose their password, without realising
69 others had done exactly the same thing.

~~~
rewind
It's like the people who think they're displaying their above-average
understanding of probability by choosing 1, 2, 3, 4, 5, and 6 for their
lottery numbers. It will be a very happy then a very sad day for a lot of
people if those numbers ever hit!

------
TGJ
117 1qaz2wsx

I saw this one and at first I thought it would be a good password. Then I
realized the pattern on the keyboard. I was thinking the other day, would
there be any need to make a password crack program that focused more on
patterns on the keyboard instead of vocabulary. xlsow02 uses the ring finger
on each hand to type out what should score a strong rating on most password
checkers yet is a simple human pattern for easy memorization.

------
tres
I'm supposing that these are already in libcrack. Anyone know for certain?

Anyone have experiences integrating libcrack into their web app? I hesitate to
integrate it because it would cause potential clients to quit the signup.

Alternatively, I think this list would be invaluable as a smaller blacklist.
Thanks!

~~~
JoachimSchipper
IIRC, libcrack will happily use any wordlist you give it. I presume the
default wordlist includes "password", yes.

As to integrating libcrack in your signup process: if an account at your site
isn't actually important, I'm sad to say that you probably shouldn't bother.
People who reuse passwords are, sadly, at much more risk from the other sites
(if you're even aware of libcrack, you're well ahead of the curve); and a
password like 'password' isn't all that bad for something as value-less as
gawker.

------
JonnieCache
consumer. Really? consumer?

Who self identifies with that horrible term so closely that they would use it
as their password?

A lot more people than I thought evidently.

~~~
jgrahamc
They used to own consumerist.com and I guess these people chose the password
consumerist and because the Gawker system silently truncates at 8 characters
they got consumer.

~~~
JonnieCache
_> the Gawker system silently truncates at 8 characters they got consumer._

I had forgotten that part of the whole sorry story. Reminds me of the uni I
attended, (Sussex) where not only were passwords truncated, there was in fact
a max length policy of 8 chars. This was across their entire campus network,
and all intranet apps. Yeah, my degree ain't worth much.

~~~
dagw
My university had the same max length policy. The reason is that a few ancient
legacy systems couldn't handle longer passwords and they wanted to make sure
that your password could be used on all systems.

~~~
JonnieCache
My instinct in this scenario would be to use Bcrypt on the new systems, and
then try and find some other hash function that came out to 8 chars for use on
the legacy systems.

Can anyone with more experience point out whether I am in any way on the right
track here?

EDIT: hmmm, the storage of the passwords as 8-char weak hashes would render
the more secure hash function used on the modern systems irrelevant. Maybe use
the output of the strong hash as the input of the weak hash? Would this be
secure?

~~~
qjz
Truncation to 8 characters is an entropy killer; limiting the range of
characters by using the truncated strong hash as the input will reduce it
further. In a weak system, you're more likely to find a collision that will
effectively substitute for the original password. For two such systems to
coexist, you'd need to enforce the use of passwords greater than 8 characters
to prevent a crack on the weak system from working on the stronger one.

~~~
JonnieCache
Thankyou. This is very interesting. Whenever I study cryptography I feel a bit
like Alice going down the rabbit hole.

Thank god the safe best-practices are clear and simple in the majority of
cases.

EDIT: in case anyone reading this is wondering, the safe best-practice is to
USE BCRYPT.

<http://codahale.com/how-to-safely-store-a-password/>

------
jhrobert
Mine is not there, but how can assert that there are reasonable chances that
it did not get cracked.

I don't want to get paranoïd and I see no point in changing my password to
minor services unless there is a really good chance that it got compromized.

The "strong" versus "weak" message that some password checking services
provide tells me nothing very usefull because what is weak when you focus a
cluster of CPU for a week on may be "strong" for those who use the Gawker leak
and don't have (I guess) such ressources.

~~~
jgrahamc
What was your Gawker username or email? Email me if you don't feel comfortable
posting it here.

------
m_myers
I'm not familiar with Gawker, but just looking down the list, it appears that
there is an 8-character limit on passwords:

    
    
        124 swordfis
        108 spiderma
         98 chocolat
         90 elizabet
         88 butterfl
         79 basketba
    

(among others)

Why would anyone put a limit -- especially such a short one -- on password
length? Please don't tell me it's because they want to store them as char(8).

~~~
k33l0r
The DES hashing function that Gawker used/uses has an 8 character limit, so
even if you chose a longer password it would get truncated to 8 characters on
the server.

~~~
qjz
This suggests that some users might have had very strong passwords
("butterflyzrfr33!") that were truncated into weak prefixes ("butterfl"). I'll
need to rethink my approach to passphrases to make sure they're "frontloaded"
with stronger combinations in the first few characters. Like most people, I'm
sure, I tend to tag these on to the end.

------
bitexploder
We came up with different results and some more interesting items in the top
25 (link is to our top 100): [http://intrepidusgroup.com/insight/wp-
content/uploads/2010/1...](http://intrepidusgroup.com/insight/wp-
content/uploads/2010/12/top100.txt)

For instance, our #4 was lifehack with 861 results. We also came up with
different counts.

It is probably worth comparing our methodologies and results:
[http://intrepidusgroup.com/insight/2010/12/gawker-des-
crypt-...](http://intrepidusgroup.com/insight/2010/12/gawker-des-crypt-fun-
using-john-the-ripper-with-mpi/) if you are interested in this.

edit: Amusingly, lifehack was the only password in our top100 missing from the
linked top250. Given more time I am assuming lifehack would have dropped out
during Duo's crack as a popular password since it is 8 characters and lower
case.

Jeremy

------
alexophile
-There's only two capital letters on the entire list: "Password" and "Highlife"

-"starwars": 256; "startrek": 88

-"sunshine" barely beat out "shadow" 266-255

-"trustno1": 307 was pretty surprising (it's a reference to the x-files)

-"superman": 297; "batman": 159; "spiderma": 108

------
epoxy
Is there an easy way for me to decrypt what password Gawker had for me? I was
unable to login with my account for over a year, but I'd like to see what
password they have on file for me so I know whether I need to change it
elsewhere.

I realize asking this also is asking for an instruction manual for malice with
whatever is decrypted. I just don't know how to determine how exposed my email
address leaves me.

~~~
uxp
If you have the database dump from Gawker, you can search for either your
associated Email address, or the username they had on record. Extract that
line from the file, put it in a new text file and run John The Ripper[1] on
it: "./john mypassword.txt". On consumer hardware, it may take a while, but
you'll eventually get it. My 2 year old 2.00GHz iMac took about 36 hours to
crack my password.

If you'd like, email me and I can try to retrieve your password hash based on
your email address. My email is in my profile.

------
jawee
I´m more concerned with the fact that it only stores the first eight
characters. Does anyone know if this is common? I often use very long password
strings that begin with something simple... like I may use the first line of a
song (e.g. myformerhopesarefledmyterrornowbegins). I figured that it was
exponentially harder to crack a longer password so I never bothered with
diverse characters and capitalization.

------
lkozma
It seems many people seriously misunderstand the purpose of passwords, and
think of it as some sort of self-expression or customization.

~~~
detcader
It's fun to replace the word "passwords" in your sentence with really any
plural noun.

~~~
Pent
Kittens

------
jasonkester
I did a brief freelance gig not too long ago for a company that used a single
password for all CMS & site admin user accounts, as well as for the database
server and the ftp login to the production server.

It's one of the top 10 passwords on that list.

------
pietro
'gawker' and 'gizmodo' seem like pretty safe passwords, considering the
context.

------
tenaciousJk
That's the same combination as my luggage!!

------
j2d2j2d2
My favorite is 'trustno1'. Exceptional irony.

------
Keyframe
111: hunter :)

------
spot
funny how "iloveyou" and "fuckyou" are right next to each other in ranking :)

------
avgarrison
i'm glad to see "shithead" made it on the list at the 249th place.

