Ashley Madison passwords were truly terrible

8 Sep 2015

Avast has taken a look at some of the passwords that have emerged from the Ashley Madison hack. It turns out we’re still idiots when it comes to security.

In truth, Avast has joined in the chorus of commentators commending Ashley Madison on how it encrypted its users’ passwords, making it quite laborious to break through the shield.

That means it has only accessed around 25,000 of the millions of passwords, with several decades needed to get the remaining tranche.

However, it still paints a worrying picture of how we choose our logins, with the most popular passwords discovered so far being the uninspiring quintet of ‘123456’, ‘password’, ‘12345’, 12345678’ and ‘qwerty’.

Other passwords like ‘pussy’, ‘secret’, ‘dragon’, ‘welcome’ and ‘ginger’ round out the top 10, with Avast bemoaning the relentless need for people to entirely lack invention when it comes to coming up with something.

Variety is the spice of life

There are 25 unique passwords with ‘love’ in them somewhere, including a couple of rather obvious ‘iloveme’ choices by users.

There are various other expletive-ridden options, along with ‘panther’ – which I never knew is the male version of ‘cougar’ – quite popular. (‘Cougar’ didn’t appear, which shouldn’t be a surprise considering the demographic of users).

Oh and two people used ‘genius’, “I think not,” said Avast.

Tigger was the most popular Winnie the Pooh character included, with Piglet, Winnie and Eeyore even making an appearance.

The top 20 numeric passwords discovered went largely in numerical order, with occasionally wondrous ‘55555’ and ‘11111’ dotted around.

We are responsible

“As citizens of the internet, it’s up to us to choose strong passwords,” said Avast, which notes how these findings reflect other attempts to name and shame bad passwords.

“We are responsible for our own security, and cannot trust anyone on the internet to do it for us. Especially not a company whose mission is to promote cheating.”

The report notes that every password made before 15 July has been leaked and, if anyone is concerned, they should change their password, even if it’s strong.

Maybe try something like ‘password1’? Oh wait, that was 19th on the list, one above ‘hockey’.

Main image via Lulu Hoeller on Flickr

Gordon Hunt was a journalist with Silicon Republic