IE 11 is not supported. For an optimal experience visit our site on another browser.

Hacked eHarmony passwords invoke 'love' -- and security concern: analysis

eHarmony login page
msnbc.com

It makes sense that users of an online matchmaking service would use the word "love" in a password,  but it's not really the best choice. A recent analysis of 1.5 million hacked eHarmony passwords found that "love" was the most "common word in passwords" used by the service's subscribers, with "dog" not far behind.

"While the psychological meanings of these passwords are for the medical profession to decide, the security ramifications are clear," wrote Mike Kelly, security analyst for Trustwave, a security company that analyzed the passwords, hacked in a recent breach that also happened to users of LinkedIn and Last.fm Internet radio earlier this month.

"Perhaps most telling," Kelly wrote, was that the analysis "also revealed more than 99 percent of the passwords used had no special characters," such as "!" or "$," something that security experts often recommend including in passwords.

The good news? "Password," often the most common word in passwords, "was only found in 240 passwords," Kelly wrote. " 'Love' was found most often of all the words we checked, which is not surprising due to the fact that these are passwords from eHarmony users.  Also interesting to us, was that we found 'dog' more than twice as often as we found 'God.'  Would that hold true if this were a Christianmingle.com dump?"

Trustwave, in its blog posting, also took eHarmony to task for not using what it deemed to be a secure enough format for users' password storage.

A spokesperson for the matchmaking site told msnbc.com that eHarmony could not comment on Trustwave's findings.

"The security of our users is of the utmost importance to us," she said. But, "due to our ongoing investigation and cooperation with law enforcement authorities, we cannot comment on these specific points."

Trustwave said among the most "interesting" base words in eHarmony passwords it found were, in this order: Love, dog, 1234, luv, sex, God, angel, lover, 123456, Jesus, date, harmony, eHarmony, forever and — yep, "password."

"We found it interesting that we saw the Top 100 dogs names more often than the top 100 baby girl names" in passwords,  Kelly wrote. "Also, that National Football League teams were seen less than National Hockey League teams. Does this say anything about eHarmony demographics?"

Here's a percentage breakdown by Trustwave of hacked eHarmony passwords that include the following info:

Top 100 baby boy names of 2011 — 47,478 (4 percent)
Top 100 baby girl names of 2011  — 25,670 (2 percent)
Top 100 dog names of 2011  — 41,700 (3.5 percent)
Months of the Year (abbreviated)  — 26,358 (2 percent)
Days of the week (abbreviated)  — 12,492 (1 percent)
Years 2000 through 2012  — 13,143 (1 percent)
Top 25 worst passwords of 2011  — 4,894 (.5 percent)
National Football League team names  — 1,367 (0 percent)
Major League Baseball team names —  8,725 (1 percent)
National Hockey League team names  — 2,491 (.5 percent)
100 most populated U.S. cities  — 2,392 (0 percent)
100 most populated world cities  — 2,197 (0 percent)
Curse words  — 10,144 (1 percent)

Overall, while Trustwave said it saw "many patterns we expected, we also saw many more that surprised us." Wrote Kelly:

The eHarmony dump is just further proof that organizations need to not only store passwords in stronger, salted formats than was previously acceptable, but also need to enforce stronger case-sensitive password policies.  Users, as a whole, still do not understand the need for strong passwords, and will continue to set passwords that meet only the minimum requirements.

Check out Technolog, Gadgetbox, Digital Life and In-Game on Facebook, and on Twitter, follow Suzanne Choney.