There is some indication that the password file was stolen more than two weeks before the break-in.  At least one person has said that their (cracked and exposed) password was in effect 17 days prior.  The hacker(s) apparently had lots of time to break many passwords.

I've found four sets of cracked passwords from the master list so far.  Two of the files were made by some *serious* crackers, with each file having over 3000 cracked passwords.


The user jed (user #1) was _not_ among the cracked passwords that I've seen so far.

There were no users with a @mtgox.com email address among the cracked passwords so far.

The user mewantsbitcoins was _not_ among the cracked passwords so far.

All of those passwords must have been reasonably strong, at minimum.


Many of the passwords that *have* been cracked look pretty damn strong.  Like, 14 characters long with alpha/numeric/symbol and no obvious patterns or weaknesses.  Scads of them are 12-characters long.  It's pretty scary, actually.

People: you really need to re-think what it means to have a strong password these days.  A billion attempts per second really adds up.  The cracking programs aren't just picking sequentially -- they are clever.  For example, if you think Leet-speak (e.g. subbing @ for a, 3 for E, and so on) is smart, you're wrong -- the good cracking programs try all of those variations as alternate spellings of words or partial words.  If you think an arcane non-word and keyboard pattern is smart, you're wrong -- trogdor321!!!~ was much easier than some of the other passwords that have been cracked... (it was strong-bad

It's time to move over to strong *pass phrases* -- several unrelated words strung together.  Go to a place like diceware.com and get some serious entropy on your side.  Or use a password manager and generator like 1password, LastPass, KeePass, etc.

Humans are humans, and it will always be the case that most passwords are way too weak.  The question is whether you want to be part of the herd.