{"id":4491,"date":"2015-01-22T10:00:18","date_gmt":"2015-01-22T15:00:18","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4491"},"modified":"2020-02-26T18:59:32","modified_gmt":"2020-02-26T14:59:32","slug":"25-worst-passwords-2014","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/25-worst-passwords-2014\/4491\/","title":{"rendered":"Remember the Gawker Media Password Breach of 2010?"},"content":{"rendered":"<p>Gizmodo published a list of the most popular passwords of 2014, smugly deriding \u201cthose morons\u201d who deploy poorly conceived credentials. Ironically, it may bear reminding that Gizmodo is owned by Gawker Media, who became the poster-child for poor password management in 2010 when attackers compromised the networks of Gawker, and decrypted nearly 200,000 terrible passwords. Wouldn\u2019t it be an interesting exercise to compare the object of Gizmodo\u2019s current scorn with its readership circa 2010?<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/01\/05111821\/passwords-1-1024x768.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7240\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/01\/05111821\/passwords-1-1024x768.png\" alt=\"passwords\" width=\"1067\" height=\"800\"><\/a><\/p>\n<p>Interestingly, 16 of the 25 passwords on this year\u2019s list of popular (<a href=\"https:\/\/www.kaspersky.com\/blog\/false-perception-of-it-security-passwords\/\" target=\"_blank\" rel=\"noopener nofollow\">and therefore ineffective<\/a>) passwords were also on the list of the most commonly used passwords from the Gawker data breach in 2010. If we look at the top 50 common passwords revealed in the Gawker breach, there are only four new passwords that aren\u2019t included on both lists. So if your password is \u201caccess\u201d or \u201cmustang\u201d or the hilariously puerile \u201c696969\u201d then you\u2019re actually doing a better job than most people.\u00a0<\/p><blockquote class=\"twitter-pullquote\"><p>Little has changed from the @Gawker #breach to this year\u2019s list of bad #passwords<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FbGC7&amp;text=Little+has+changed+from+the+%40Gawker+%23breach+to+this+year%26%238217%3Bs+list+of+bad+%23passwords\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>The list itself is an aggregation of credential containing data leaks from the year,\u00a0<a href=\"http:\/\/splashdata.com\/press\/worst-passwords-of-2014.htm\" target=\"_blank\" rel=\"noopener nofollow\">put together by the security firm SplashData<\/a>. As you can see below, SplashData puts one of these lists together each year and notes movement up, down, and onto the list next to each password. I have put an asterisk next to any password that also showed up in the top 50 of Gawker\u2019s passwords.<\/p>\n<ol>\n<li>123456 (No change)*<\/li>\n<li>password (No change)*<\/li>\n<li>12345 (up 17)*<\/li>\n<li>12345678 (down one)*<\/li>\n<li>qwerty (down one)*<\/li>\n<li>123456789 (no change)<\/li>\n<li>1234 (up nine)*<\/li>\n<li>baseball (new)*<\/li>\n<li>dragon (new)*<\/li>\n<li>football (new)*<\/li>\n<li>1234567 (down four)*<\/li>\n<li>monkey (up five)*<\/li>\n<li>letmein (up one)*<\/li>\n<li>abc123 (down nine)*<\/li>\n<li>111111 (down eight)*<\/li>\n<li>mustang (new)<\/li>\n<li>access (new)<\/li>\n<li>shadow (unchanged)*<\/li>\n<li>master (new)*<\/li>\n<li>michael (new)*<\/li>\n<li>superman (new)*<\/li>\n<li>696969 (new)<\/li>\n<li>123123 (down 12)*<\/li>\n<li>batman (new)*<\/li>\n<li>trustno1 (down 1)*<\/li>\n<\/ol>\n<p>It\u2019s interesting that 80 percent of the passwords listed as \u201cnew\u201d were actually in the top fifty Gawker passwords more than four years ago. It\u2019s also interesting that \u201c123456789\u201d is not new to SplashData\u2019s list, but it did not appear in <a href=\"http:\/\/blogs.wsj.com\/digits\/2010\/12\/13\/the-top-50-gawker-media-passwords\/\" target=\"_blank\" rel=\"noopener nofollow\">the infamous Gawker top 50<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">The 25 most popular passwords of 2014 are a reminder that we're all morons: <a href=\"http:\/\/t.co\/uIT1t3dYRG\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/uIT1t3dYRG<\/a> <a href=\"http:\/\/t.co\/JhDByxjWep\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/JhDByxjWep<\/a><\/p>\n<p>\u2014 Gizmodo (@Gizmodo) <a href=\"https:\/\/twitter.com\/Gizmodo\/status\/557525007119970304?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 20, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>To be fair, Gawker\u2019s spilled passwords were encrypted. It just so happens that 188,000 of them were so ill-conceived as to be easily decrypted based on their <a href=\"https:\/\/www.kaspersky.com\/blog\/the-wonders-of-hashing\/\" target=\"_blank\" rel=\"noopener nofollow\">hashes<\/a>. Encrypting password stores is sort of a bare-minimum security requirement. What we learned from the Gawker hack is that even the supposedly tech savvy among us are bad at password management.<\/p>\n<div class=\"pullquote\">The moral of this story is neither new, nor particularly revelatory: People are bad at passwords.<\/div>\n<p>The moral of this story is neither new nor particularly revelatory: People are despairingly bad at passwords. More broadly, people are despairingly bad at security as a whole. This is why the tech and security industries need to take matters into their own hands. You can\u2019t blame users for data breaches like the ones that inspired this list or led to<a href=\"https:\/\/www.kaspersky.com\/blog\/misunderstanding_the_cloud\/\" target=\"_blank\" rel=\"noopener nofollow\"> the leaking of thousands of intimate celebrity photos<\/a>.<\/p>\n<p>I can tell you and, in fact, I have told you <a href=\"https:\/\/www.kaspersky.com\/blog\/remember-strong-passwords\/\" target=\"_blank\" rel=\"noopener nofollow\">how to create a strong and memorable password<\/a>. It\u2019s really not rocket science. Everyone pretty much understands what makes a good password. The reality is that we know the risks associated with poor passwords and we scoff at them; we know how to make good passwords, but we are too lazy to manage various unique passwords across as many logins.<\/p>\n<p>This is why efforts like \u201c<a href=\"https:\/\/www.kaspersky.com\/blog\/twitter-digits-new-authentication\/\" target=\"_blank\" rel=\"noopener nofollow\">Digits<\/a>\u201d by Twitter and TouchID by Apple and other biometric or SMS-based or two-factor schemes are so promising. We know they aren\u2019t perfect, but they offer us the opportunity to experiment with new forms of authentication that could potentially usher us away from the most imperfect form of authentication: the password.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Comparing the worst passwords of 2014 with the infamous top 50 passwords from the Gawker Media breach in 2010.<\/p>\n","protected":false},"author":42,"featured_media":4492,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[896,872,895,187],"class_list":{"0":"post-4491","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-896","9":"tag-breach","10":"tag-password-breach","11":"tag-passwords"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/25-worst-passwords-2014\/4491\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/25-worst-passwords-2014\/4547\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/25-worst-passwords-2014\/5040\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/25-worst-passwords-2014\/6726\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/25-worst-passwords-2014\/7239\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/25-worst-passwords-2014\/6684\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/25-worst-passwords-2014\/6726\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/25-worst-passwords-2014\/7239\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/25-worst-passwords-2014\/7239\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/123456\/","name":"123456"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4491"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4491\/revisions"}],"predecessor-version":[{"id":15971,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4491\/revisions\/15971"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/4492"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}