After recently reporting on the cracking of over 11 million passwords from the Ashley Madison breach, we now have further details about those passwords. The "CynoSure Prime" team have given some password statistics over on their blog about the 11.7 million passwords they have cracked to date. Keep in mind that these statistics are about a 11.7 million password subset for which the team were able to crack, so by definition they were weaker passwords.
Of the overall 11,716,208 passwords revealed, there were a total of 4,867,246 unique passwords. The average length of a password was 6 characters, with the longest being 28 characters long and, amazingly, the shortest being 1 character.
Some of the longer passwords found were due to the user using either their email address or their lengthier username as their password. The team ran a scan against the entire 36 million user passwords and found that 630,000 had used their username as their password. However, due to limitations in their approach they believe the actual number could be much higher.
Dan Goodin reporting at Ars Technica, completed some further analysis and detailed the top 10 passwords from the breach:
23456
12345
Password
DEFAULT
123456789
Qwerty
12345678
abc123
pussy
1234567
Most of these passwords are not unusual in this type of breach, as we have seen them time and time again. We reported last year that ‘123456’ was the worst password for 2013, but only after overtaking ‘password’ after it topped the list in 2012.
Over on their blog, the CynoSure Prime team put together some interesting password lists from their results. Head over to the blog to check out the full list.
Those that are having doubts about using the site:
ishouldnotbedoingthis
ithinkilovemywife
thisiswrong
whatthehellamidoing
whyareyoudoingthis
cheatersneverprosper
donteventhinkaboutit
isthisreallyhappeningPasswords from xkcd (https://xkcd.com/936/):
batteryhorsestaple
correcthorsebatterystapleThose who trusted AM:
youwillneverfindout
youwillnevergetthis
secretissafewithme
Source: CynoSure Prime via Ars Technica