> A plurality of Gawker Media passwords are six characters long
A plurality of brute forced Gawker Media passwords are six characters long. Maybe this statistic is valid for all 1.5 million passwords, but that's quite a lot of extrapolation. Taking the easiest 10% of passwords to brute force and basing the data off that?
They mention this fact on the paragraph prior, and then seem to forget about it: "In both cases, the datasets only include passwords that could be decoded and aren’t necessarily representive [sic] of all users."
I'm not sure this even matters. Gawker accounts are for commenting on inane media stories. If people used the same password for their email, that's one thing, but I wouldn't be surprised if most had a harder password for their email, and resorted to 123456 etc. for less important accounts.
I wouldn't be surprised if most had a harder password for their email
If we were talking about Hacker News, or other programmer-oriented website, then I'd be inclined to agree. Unfortunately, Gawker is all about lowest-common-denominator fluff, and so attracts a lot of (for lack of better term, and please don't mistake this for hubris) "normal people." Normal people don't give nearly as much consideration to these matters as we do, and I'd expect a good majority of these people use the same password (or two) for damn near everything.
It's not uncommon for even technical people to reuse the same low-level passwords across multiple sites[1], but where we understand the importance of our email accounts as being a master key, regular folk aren't always so knowledgeable.
The 3000 who used 123456 might be outliers. The real danger of this leak is in those who didn't think of Gawker as being a less important account and therefore undeserving of their primary password.
I got that as well. I'm certain my email isn't in the dump (downloaded the torrent to double- and triple-check).
I thought is was strange they used a URL shortener with an uncommon TLD (.kr) to point to the FAQ lifehacker. Seems you'd want to be as unsuspicious as possible in this situation.
18 comments
[ 3.6 ms ] story [ 58.0 ms ] threadEDIT: I just looked at the dataset and about half of them list NULL as the password. ~3000/748,495 = ~.4%
A plurality of brute forced Gawker Media passwords are six characters long. Maybe this statistic is valid for all 1.5 million passwords, but that's quite a lot of extrapolation. Taking the easiest 10% of passwords to brute force and basing the data off that?
They mention this fact on the paragraph prior, and then seem to forget about it: "In both cases, the datasets only include passwords that could be decoded and aren’t necessarily representive [sic] of all users."
If we were talking about Hacker News, or other programmer-oriented website, then I'd be inclined to agree. Unfortunately, Gawker is all about lowest-common-denominator fluff, and so attracts a lot of (for lack of better term, and please don't mistake this for hubris) "normal people." Normal people don't give nearly as much consideration to these matters as we do, and I'd expect a good majority of these people use the same password (or two) for damn near everything.
It's not uncommon for even technical people to reuse the same low-level passwords across multiple sites[1], but where we understand the importance of our email accounts as being a master key, regular folk aren't always so knowledgeable.
[1] http://www.codinghorror.com/blog/2009/05/i-just-logged-in-as...
The 3000 who used 123456 might be outliers. The real danger of this leak is in those who didn't think of Gawker as being a less important account and therefore undeserving of their primary password.
Also, why are Jennifer and Michelle the first female names on the list? Are they just the most common names for women?
And is there a story to "monkey"?
I think 'monkey' has always been a top ten password, not just for Gawker users, but I have no idea why.
http://modernl.com/article/top-10-most-common-passwords (2006)
Both were phishing emails that pointed to a domain in China and another in India. These guys move fast
Although I don't believe my email address was in the dump.
I thought is was strange they used a URL shortener with an uncommon TLD (.kr) to point to the FAQ lifehacker. Seems you'd want to be as unsuspicious as possible in this situation.
I didn't find it myself with grep, but I did find it using this utility: http://news.ycombinator.com/item?id=1999373