You might think that people seeking to cheat on their spouses would use strong passwords. But no.
Accounts exposed in the hack of Ashley Madison, a website for would-be cheaters, had passwords that were just as weak as the rest of the internet, according to research group that cracked the encryption on 11.7 million of them. The top three: 123456, 12345, and password.
Here are the most common passwords found by the group, which goes by the name CynoSure Prime:
The 11.7 million passwords cracked by CynoSure Prime account for about a third of the 36 million Ashley Madison accounts that were dumped on the internet last month. The researchers said they focused on the passwords on a subset of 15 million accounts that used a form of encryption that can be cracked with relative speed. “We crack passwords in gradual increasing complexity,” they said, “so it is normal that we have recovered most of the simpler ones first.”
Strong passwords should contain a mix of lowercase letters, capital letters, numbers, and symbols. Yet nearly 5 million of the 11.7 million passwords contained only lowercase letters:
Some users with passwords like “correcthorsebatterystaple” and “batteryhorsestaple” appeared to be trying to follow the sage advice of this xkcd comic a bit too literally:
The researchers also highlighted some passwords that didn’t make the top 100 but were nevertheless noteworthy, like ones suggesting that some users had doubts about their activities: