Ashley Madison Breach Reveals Ridiculously Weak Passwords

The infamous Ashley Madison breach makes further headlines, this time revealing weak and unimaginative passwords used to access Ashley Madison accounts.

The recent breach of extramarital affairs website Ashley Madison has resulted in millions of account details including personal information being dumped online. Multiple times.

In the aftermath of the online dump, a password cracking group discovered that programming errors by Ashley Madison meant that they were able to decipher over 11 million ‘unbreakable’ passwords in a week’s time.

Despite its many vulnerabilities leading to the breach, Ashley Madison did embrace robust encryption for its user passwords using the ‘bcrypt’ algorithm.

Related article: Online Dating Site Ashley Madison Hacked

However, a new report issued by security firm Avast notes that many of Ashley Madison users’ passwords are among the weakest and most common passwords used to secure their adulterous dating accounts. A weak password, even encrypted – is still weak.

The Weakest Passwords Used by Ashley Madison Users

Avast used two well-known password lists for the crack, namely: the 14 million password list from the ‘rockyou hack’ of 2009 and more appropriately – The Top 500 Worst Passwords of All Time.

Using password cracking utility ‘hashcat’ for the first million passwords, Avast has cracked 26,393 hashes so far, out of which 1,064 were unique passwords.

Avast posted a list of the top 20 passwords cracked from the data it has accessed so far. They are:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. pu**y
  7. secret
  8. dragon
  9. welcome
  10. ginger
  11. sparky
  12. helpme
  13. blo*job
  14. nicole
  15. justin
  16. camaro
  17. johnson
  18. yamaha
  19. midnight
  20. chris

For comparison, the top 20 most common passwords from the 500-worst list are:

  1. 123456
  2. password
  3. 12345678
  4. 1234
  5. Pu**y
  6. 12345
  7. dragon
  8. qwerty
  9. 696969
  10. mustang
  11. letmein
  12. baseball
  13. master
  14. michael
  15. football
  16. shadow
  17. monkey
  18. abc13
  19. pass
  20. fu*kme

It’s important to note that the password list derived from the first million Ashley Madison accounts that are likely to have been created during the initial years of the website, back in 2001.

The later batches of cracked passwords will make for interest insight to see if Internet users have gotten better in creating more secure passwords.