Amongst all the incredibly damaging things that came from the Ashley Madison hack, there was one positive takeaway – the Canadian company did encrypt its users’ passwords.
In previous hacks, such as the 42m Cupid Media attack, we have seen dating sites take terrible precautions in protecting its customers’ passwords, which can make the hack even more harmful, as many people use the same passwords for different online accounts.
Ashley Madison, however, surprised security researchers by storing them as bcrypt-hashed passwords, meaning there is no way to crack all the user passwords.
However, although this encryption means you cannot crack all 36m passwords, you can crack the very worst passwords, and that is exactly what antivirus company Avast has done, and posted about its findings.
The company used the first million passwords from the 36m that were leaked in the Ashley Madison hack, and compared them against two readily available lists of commonly used passwords.
After running its tailored crack for two weeks, Avast’s CPU found 17,217 passwords and the GPU found 9,777.
This creates a total of 26,994 passwords cracked, but 25,393 were unique hashes, which means the CPU and GPU redundantly cracked 1,601 hashes.
By doing this, Avast found the most used, easily-crackable passwords from the first million found in the Ashley Madison hack.
Check out the list below – in brackets is how many people used the password:
- 123456 (6495)
- password (3268)
- 12345 (2024)
- 12345678 (880)
- qwerty (768)
- pussy (453)
- secret (248)
- dragon (209)
- welcome (201)
- ginger (198)
- sparky (173)
- helpme (168)
- blowjob (164)
- nicole (152)
- justin (134)
- camaro (129)
- johnson (120)
- yamaha (117)
- midnight (113)
- chris (103)
Looking at this analysis, we can see that “123456” and “password” are still the most commonly-used, worst possible passwords.
These two are also joined by “12345678” and “qwerty”, alongside use of the password “pussy”, “helpme” and “blowjob”.
Below, you can compare the Ashley Madison list to the top 20 most common passwords, according to the 500-worst list:
Speaking about their findings, Avast said: “There is no excuse for using terrible passwords, considering that the usage of intelligent passwords plays a key role in keeping you safe from attacks and breaches.
“Even with one of the strongest password encryption algorithms out there, it was trivial to get a large list of weak passwords by checking known passwords against the list of hashes.”
The company advises those who created an Ashley Madison account before July 15th 2015 to change it, as it may have already been cracked, especially if it is one of those in the list above.
You can read more about the technology behind Avast’s analysis, and information about bcrypt passwords, over at the Avast blog here.