Trustwave researchers say that the company did a poor job of encrypting the passwords

Jun 26, 2012 13:16 GMT  ·  By

Trustwave researchers have analyzed the 1.5 million passwords leaked by hackers after compromising eHarmony’s database. The results are in and they’re certainly interesting.

The first observation made by the experts is that eHarmony has made a lot of mistakes regarding the encryption of passwords.

The company not only encrypted them using the outdated MD5 algorithm, but before doing so, it also converted all lowercase characters into uppercase. This made the passwords much easier to decrypt.

So, let’s take a look at the figures.

1,513,935 password hashes have been leaked, 1,215,846 of which have been cracked in around 72 hours with the aid of a custom system and software, such as oclHashcat and John the Ripper.

As it turns out, 23% of them were made of 7 characters, 0,5% (5779) of 14 characters and only 378 of 15 characters.

The length of a password is important, but not as important as the characters it’s made of and the numbers show that users still aren’t accustomed to using special symbols.

On the bright side, 57% of customers at least utilized both letters and digits. However, 41% of the passwords were formed only of letters and just over 600 people used special characters in combination with digits and letters.

Now comes the interesting part. Around 4% of the passwords contained the top 100 baby boy names of the year 2011 and 2% contained the top 100 baby girl names of the same year.

Dog names, dates, NFL, MLB, and NHL team names, city names and curse words were also found to be popular.

Surprisingly, only 240 of the passwords were “password.” On the other hand, the word “love” showed up in 10,690 passwords, which isn’t something out of the ordinary, considering that eHarmony is a dating site.

Other interesting base words used by many were “dog”, “1234”, “luv”, “God”, “angel”, “lover” and “Jesus.”

“The eHarmony dump is just further proof that organizations need to not only store passwords in stronger, salted formats than was previously acceptable, but also need to enforce stronger case-sensitive password policies,” Trustwave’s Mike Kelly explained.

“Users, as a whole, still do not understand the need for strong passwords, and will continue to set passwords that meet only the minimum requirements,” he concluded.