Ashley Madison Password Analysis – Most Common Weak Passwords

My buddy Aamir Lakhani and Keith Rayle wrote a funny post about research they did on decrypting Ashley Madison user passwords (original post found HERE). In summary, they took all the passwords that were released, decrypted the weak passwords and tallied up the top weak passwords used by Ashley Madison users. The results are pretty damn funny.

As the Ashley Madison storm continues unabated, although the truly damaging winds (for the time being, at least) seem to have diminished somewhat. Things are quieting down. This might simply be a lull in the storm before the data is digested and presented to the public in a more consumable format.

We need humor. Serious humor.

At this point is seems like a good time to look at the passwords used within the site. These snippets were trapped in the huge glob of data that included usernames, addresses, and other personal information within the site’s data.

So here it is – a quick (and non-scientific) analysis of the Ashley Madison passwords and the interesting trends and statistics contained therein.

Legal disclaimer: please keep in mind these passwords were encrypted, so it took a little bit of brute force to get the clear text passwords. This means I cannot 100% verify the accuracy the passwords.

The word ashley was used at least 8,793 times. Yes, the site’s first name was their password. Ashley Madison users selected the word madison as their password 5,219 times. So, they literally grasped at the second word they saw. Way smarter than the ones who opted out early and chose ashley.

At least 31,000 Ashley Madison users turned to using profanity in their passwords. Passwords including p***yf**kmef**kyou and a**hole were used a total of 31,000 times. A**hole in particular was used at least 5,052 times.

The password 111111 was used more than 7,048 times. You have to wonder how many of them input 11111, then 1111111 before getting it right with 6 of them.

Superman was used at least 5,023 times (note to self: change my Ashley Madison password. Oh…also select new secret identity).

The word password was used at least 39,448 times. Yup. Shake your heads and weep for our collective future as a security profession.

The word monkey was used more than 2,000 times as a password. That’s just weird to me.

The word hello was used 4,425 times. Too many puns….pun overload….well huh LO there you! Ah. Better now.

The word cheater was selected as a password by Ashley Madison users nearly 4,000 times. Surprisingly low, all things considered.

Hunter was used for password purposes at least 3,869 times. I didn’t find MonkeyHunter at all. More weirdness.

So what about our sports fans out there? Well, it seems good ol’ America won out hands down. 

  • Football was selected more than 7,800 times. It was the sports leader among extramarital cheating passwords.
  • Baseballcame in a very close second at 7,710 times.
  • Hockey was used as a password at least 4,191 times. Still in the North American neighborhood (for the most part).
  • Soccer was used as an Ashley Madison password 3,936 times. Does this say something about a lower international sports crowd on the site?

Site users opted for letmein as a password at least 4,140 times. The innuendo is simply killing me on that one.

The word shadow was used by Ashley Madison subscribers at least 3,831 times. OOOOOOH…..creeeeeeepy…..

Self-professed stallions selected mustang as a password at least 4,865 times.

Then there’s the all-time favorite default used as a password no fewer than 34,275 times. Ah, good old default. No security professional worth his or her salt won’t let that slip by without providing a spinning, exploding head.

So….the All-Time Winner?

Cue drumroll……..ladies and gentlemen………the most commonly used password……….envelope please….…

And we have a winner!!!!!!

Well…..winners….

With a total of 168,963 total uses (and still counting), the two passwords of 123456 and 12345 were our top scorers. I figure the cousins are close enough to share the top prize for this one.

So what have we learned today?

Cheaters never win. Well, when they get caught that is.

HOWEVER…winners (and security geeks) always use 16-character random passwords with upper and lower case letters, numbers, and special characters.

Special thanks to editor-in-chief Keith Rayle. Keith came up with the great commentary and analysis around these stats.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.