More bad passwords revealed in Gawker hack

Are people getting any smarter about password protection?

Have we learned nothing from

You may recall that earlier this year, security firm Imperva analyzed 32 million passwords that a hacker stole from an application developer called and found that many people were using simple ones, including "password," "rockyou" (the name of the site) and strings of sequential numbers.

Now hackers have once again stolen and posted passwords, this time from Gawker and its related sites, including Gizmodo and Lifehacker.

The most common password, according to a Wall Street Journal analysis of the data dump: "123456," used by more than 3,000 registered Gawker users.

After that:

lifehack (a variation of one of the site names)
trustno1 (Fox Mulder's password on "The X Files," and he should have known better.)

The WSJ has 50 top passwords from this latest hack, and a detailed analysis.

Security experts recommend people use "strong" passwords, generally defined to be randomized strings of letters, numbers and symbols, with some letters capitalized, not based on any words with personal significance (don't use your dog's name or child's college name, for example). And they also recommend that you have a different password for every site that requires one, change them often, and never write them down.

Most ordinary people find this advice to be laughably unrealistic -- creating and, more importantly, remembering a couple dozen such strong passwords without writing them down is pretty much impossible. (And for sites where the access is needed only to read and comment on articles, with no payment or personal information stored, many people think complex passwords are superfluous.)

But when we asked our readers, after reporting on the rockyou hack, for tips, we got a few really good ones. Among them:

  • Open a favorite book to a random page and find a phrase. The phrase becomes the password. You can write down the page and line number safely -- it will look like "73 14," and it's doubtful anybody will know what it means. If someone does figure it out, they'd still have to guess which book.
  • Memorize your finger movements when you create the password. When you change it, start on a different first key but make the same movements. You end up with a new, unguessable password already stored in your muscle memory.
  • Combine meaningful phrases and dates with other symbols and codes. One reader told us: " I went to Disney World in 1996, so I start with '96DIsneyworld' (using uppercase for the first two letters). I precede that with two special characters that I always keep the same. Then I precede that with the first letter again in lowercase. That gives me d,,96DIsneyworld.' To avoid using the very same password on all my various accounts, for each one I add a lowercase letter just after the digits that represents the system to me (e.g. 't' for the Timesheet system, 'e' for e-mail). This would give me 'd,,96tDIsneyworld' for my Timesheet password. "
  • E. Miller of Portland, Ore., recommended making passwords out of stories. "'I walked down Bourbon Street with Sarah in 1992' can be 'bourbon1992Sarah' or many other variations."

About the Author

Technology journalist Michael Hardy is a former FCW editor.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.