I personally use 'password' for my password on sites like Gawker, where I'm being forced to create an account I don't care about. Using 'password' for my password is my note to myself that this is a junk account that I have no interest in. I just don't care if somebody accesses it, period.<p>I suspect that others do the same thing, and little weight should be given to the strength of passwords recovered from a site such as this.
The list is basically identical to every "most common passwords" leak that's come out since the beginning of the web. Even "monkey", which the author seems to think is quirk of the Gawker community, is known to frequently be a top 20 password.
This lead me to a question about DES. If no salt is provided it uses a static or default two character salt. In the gawker leak, the first two characters of the stored hash were the default salt. How is that two character default derived?
The takeaway here? If you want to "hack" into sites like these, you're virtually guaranteed to succeed by picking a few random usernames, and trying some combination of "123456", "password", "12345678", site name, and "qwerty" for password.<p>I think it's time for someone to come up with a radically better authentication mechanism.
I am personally surprised by the number of proper names on there. Jennifer, Jordan, Michelle, Micheal. I know these are pretty common names (Jordan?) but when you figure the percentage of the population that would have these names, then the percentage of those that would use their name as a password (assuming they are using their name, and not for some other reason) then it's surprising that so many would make a top 50 list.
This is actually a pretty good analysis by the mainstream press. While the information is well-known to the point of being common sense for us, for readers of the WSJ it will likely be a learning experience.