News

These Are The Worst Passwords Used On Ashley Madison

stock

Amongst all the incredibly damaging things that came from the Ashley Madison hack, there was one positive takeaway – the Canadian company did encrypt its users’ passwords.

In previous hacks, such as the 42m Cupid Media attack, we have seen dating sites take terrible precautions in protecting its customers’ passwords, which can make the hack even more harmful, as many people use the same passwords for different online accounts.

Ashley Madison, however, surprised security researchers by storing them as bcrypt-hashed passwords, meaning there is no way to crack all the user passwords.

However, although this encryption means you cannot crack all 36m passwords, you can crack the very worst passwords, and that is exactly what antivirus company Avast has done, and posted about its findings.

The company used the first million passwords from the 36m that were leaked in the Ashley Madison hack, and compared them against two readily available lists of commonly used passwords.

After running its tailored crack for two weeks, Avast’s CPU found 17,217 passwords and the GPU found 9,777.

This creates a total of 26,994 passwords cracked, but 25,393 were unique hashes, which means the CPU and GPU redundantly cracked 1,601 hashes.

By doing this, Avast found the most used, easily-crackable passwords from the first million found in the Ashley Madison hack.

Check out the list below – in brackets is how many people used the password:

  1. 123456 (6495)
  2. password (3268)
  3. 12345 (2024)
  4. 12345678 (880)
  5. qwerty (768)
  6. pussy (453)
  7. secret (248)
  8. dragon (209)
  9. welcome (201)
  10. ginger (198)
  11. sparky (173)
  12. helpme (168)
  13. blowjob (164)
  14. nicole (152)
  15. justin (134)
  16. camaro (129)
  17. johnson (120)
  18. yamaha (117)
  19. midnight (113)
  20. chris (103)

Looking at this analysis, we can see that “123456” and “password” are still the most commonly-used, worst possible passwords.

These two are also joined by “12345678” and “qwerty”, alongside use of the password “pussy”, “helpme” and “blowjob”.

Below, you can compare the Ashley Madison list to the top 20 most common passwords, according to the 500-worst list:

  1. 123456
  2. password
  3. 12345678
  4. 1234
  5. pussy
  6. 12345
  7. dragon
  8. qwerty
  9. 696969
  10. mustang
  11. letmein
  12. baseball
  13. master
  14. michael
  15. football
  16. shadow
  17. monkey
  18. abc123
  19. pass
  20. fuckme

Speaking about their findings, Avast said: “There is no excuse for using terrible passwords, considering that the usage of intelligent passwords plays a key role in keeping you safe from attacks and breaches.

“Even with one of the strongest password encryption algorithms out there, it was trivial to get a large list of weak passwords by checking known passwords against the list of hashes.”

The company advises those who created an Ashley Madison account before July 15th 2015 to change it, as it may have already been cracked, especially if it is one of those in the list above.

You can read more about the technology behind Avast’s analysis, and information about bcrypt passwords, over at the Avast blog here.

Simon Edmunds

Simon is the former editor of Global Dating Insights. Born in Newcastle, he has an English degree from Queen Mary, London and after working for the NHS, trained as a journalist with the Press Association. Passionate about music, journalism and Newcastle United.

Global Dating Insights is part of the Industry Insights Group. Registered in the UK. Company No: 14395769