Last Updated: 2011-02-14 16:39:00 UTC
by Richard Porter (Version: 3)
One of our readers sent in link to a list of passwords stolen from rootkit.com (original link removed per reader request).
Dumps of large password databases, many of which are leaked from buggy web applications, have become a quite common. We have said it before, and this is yet another reminder: DO NOT USE THE SAME PASSWORD ON DIFFERENT SITES.
rootkit.com is down right now, and I am not aware of any notification done by rootkit.com to affected users. Many of the leaked passwords have been shown to work for respective twitter and google accounts, showing that the advice is often ignored. 2 Factor Auth cannot come fast enough?
We can't really make up our mind on whether or not to publish the list of leaked passwords. On the one hand, the users that are affected need to know about them, on the other hand, the data may be considered "contraband". We may publish a list of md5 hashes only later which would probably present a compromise (people can still look up if their password is leaked).
Even if you didn't have an account with rootkit.com, please consider not using passwords that are on the list. These passwords will likely soon be added to everybody's favorite password cracking tools.
Another indication of heavy password reuse, here a list of the top 10:
55 r00tk1t <- one advice some people follow is to use a password derived from the site name. Not always a good idea. Maybe these people use 'g00gl3' to log into google?
--- ISC Handler on Duty
(updated by Johannes Ullrich)