Of the things we have learned from the News International (NI) hacking scandal, one is how not to choose a password.

Yesterday, the hacking group LulzSec gained access to NI servers and redirected the website of The Sun newspaper to a fake news story claiming proprietor Rupert Murdoch had been found dead. The group also released email and password details for a number of NI staff, including former CEO Rebekah Brooks.

The group gained access to NI servers via new-times.co.uk, a now defunct website that was active when The Times newspaper was moving to its new paywalled site. British newspaper The Guardian suggests LulzSec used a weakness in this site to upload a “local file inclusion” script, allowing the hackers to take control of the server and access the NI network. In response, NI blocked its employees from accessing its network remotely, and required them to reset their passwords.

Sabu, the key LulzSec figure interviewed by New Scientist, tweeted what appear to be the login details for Brooks’s email account when she was editor of The Sun, and known as Rebekah Wade. The password given was 63000, which is the number of The Sun‘s text message tipline and is prominently displayed on the newspaper’s website.

LulzSec cracked the passwords because they were poorly encrypted – stored as an MD5 hash, a cryptographic algorithm that the US Department of Homeland Security has dubbed “broken and unsuitable for further use”. When encrypting data this is combined with another value, called the salt, which should be random but in this case seems to have been rather easy to guess: “rebekah”.