A number of large Internet companies have begun rolling out password reset procedures for potentially millions of users following the hack of Gawker Media.
Amazon, Twitter, LinkedIn, Yahoo and online game World of Warcraft have sent out millions of emails prompting their users to change their password. The action follows the compromise of Gawker Media’s database which saw masses of passwords revealed of users of the firms popular sites including Gizmodo and Lifehacker.
Despite the supposedly tech-savvy readership of Gawker’s web sites, the password 123456 was shown to be the most popular with over 3,000 instances in 188,000 of the details which were decrypted. Other cryptographically useless passwords such as ‘password’ and ‘qwerty’ and ‘letmein’ ranked highly.
The release triggered concern that users had used similarly weak passwords on the same sites with reports already emerging of hijacked Twitter and Facebook accounts as a result of the compromised Gawker data.
However the sorts of passwords disclosed are already well known to hackers and feature prominently in brute force dictionaries used to crack common passwords. The disturbing tendency of Internet users to not only use weak passwords but then to recycle the passwords across multiple sites represents a tempting target for hackers.
It’s a simple matter for online companies to similarly check their own user passwords against similar dictionaries and if found to be present, automatically trigger a password update process which is exactly what firms such as Amazon and LinkedIn have begun doing.
The Wall Street Journal’s Digits Blog published a list of the most popular passwords among Gawker users. It makes for shocking reading.