More bad passwords revealed in Gawker hack

Are people getting any smarter about password protection?

Have we learned nothing from rockyou.com?

You may recall that earlier this year, security firm Imperva analyzed 32 million passwords that a hacker stole from an application developer called rockyou.com and found that many people were using simple ones, including "password," "rockyou" (the name of the site) and strings of sequential numbers.

Now hackers have once again stolen and posted passwords, this time from Gawker and its related sites, including Gizmodo and Lifehacker.

The most common password, according to a Wall Street Journal analysis of the data dump: "123456," used by more than 3,000 registered Gawker users.

After that:

password
12345678
lifehack (a variation of one of the site names)
qwerty
abc123
111111
monkey
consumer
12345
0
letmein
trustno1 (Fox Mulder's password on "The X Files," and he should have known better.)

The WSJ has 50 top passwords from this latest hack, and a detailed analysis.

Security experts recommend people use "strong" passwords, generally defined to be randomized strings of letters, numbers and symbols, with some letters capitalized, not based on any words with personal significance (don't use your dog's name or child's college name, for example). And they also recommend that you have a different password for every site that requires one, change them often, and never write them down.

Most ordinary people find this advice to be laughably unrealistic -- creating and, more importantly, remembering a couple dozen such strong passwords without writing them down is pretty much impossible. (And for sites where the access is needed only to read and comment on articles, with no payment or personal information stored, many people think complex passwords are superfluous.)

But when we asked our readers, after reporting on the rockyou hack, for tips, we got a few really good ones. Among them:

  • Open a favorite book to a random page and find a phrase. The phrase becomes the password. You can write down the page and line number safely -- it will look like "73 14," and it's doubtful anybody will know what it means. If someone does figure it out, they'd still have to guess which book.
  • Memorize your finger movements when you create the password. When you change it, start on a different first key but make the same movements. You end up with a new, unguessable password already stored in your muscle memory.
  • Combine meaningful phrases and dates with other symbols and codes. One reader told us: " I went to Disney World in 1996, so I start with '96DIsneyworld' (using uppercase for the first two letters). I precede that with two special characters that I always keep the same. Then I precede that with the first letter again in lowercase. That gives me d,,96DIsneyworld.' To avoid using the very same password on all my various accounts, for each one I add a lowercase letter just after the digits that represents the system to me (e.g. 't' for the Timesheet system, 'e' for e-mail). This would give me 'd,,96tDIsneyworld' for my Timesheet password. "
  • E. Miller of Portland, Ore., recommended making passwords out of stories. "'I walked down Bourbon Street with Sarah in 1992' can be 'bourbon1992Sarah' or many other variations."

About the Author

Technology journalist Michael Hardy is a former FCW editor.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.