The Most Common Passwords Used For Logins Online
Most Common Passwords Used Online
A List of Common Passwords Used on Real Internet Hacked Accounts Logins
The Most Common Passwords Compile Sources Used In This Report
Some time ago (2009) … the Internet was 'taken by surprise' when a well known bulletin board script's home website was hacked:
- phpBB.com website hacked
(through a vulnerability in an outdated version of a third-party script called PHPList, almost 29.000 accounts were exposed)
As a result, the hackers were able to harvest a list of phpBB users emails and passwords.
This was not unprecedented, as in fact another list of passwords was harvested back in 2006 from MySpace, by some people who used a classical phishing scheme, simply making a copy of MySpace on a different server and waiting for users to login (thus getting their login credentials):
- MySpace phishing attack
(resulting in 34,000 – or even over 47.000 according to other sources – actual user names and passwords)
Warning: I have noticed a very similar trend lately on Skype (August 2010), where recently some Skype accounts were hacked too, then used to send links to all the hacked user's contacts requesting them to login into a phishing copy of Skype's login page to get hold of even more accounts and so forth…
- Skype phishing attack
(similar but with no disclosed reports yet as of how many have been actually hacked)
The above was not used as a Most Common Passwords resource though, due to lack of detailed info…
Last one to be mentioned, is a Christian dating website, whose database was hacked back in 2009:
- db.Singles.org hack
(based on a major security flaw that allowed a group called 4chan to get access – at least partially – to the over 40.000 users accounts and passwords; as the stated claimed number of members on that site was…)
The website used querystring parameters to identify a user and the mode the page displayed in yet allowing it to be put it in edit mode without having to be authenticated.
Further down there are a few thoughts regarding the dangers posed by these few (only the known ones) events, but before that, let's see which was the most used password in these lists?
In my opinion the winner is "123456", closely followed by "password" and their derivatives! But, read on…
Looks like people just don't get it … right?..
I mean … the password distribution analysis that follows shows how ridiculously simple to hack passwords are still used nowadays…
Most Commonly Used Passwords Analysis by Comparison
I won't pretend I ran this password patterns analysis by myself. On the contrary, I aggregated data from several known sources as you could see above. There is a non-exhaustive list of them listed at the bottom of the post though … if you want to read more in depth about all these – but generally the articles are very techie and won't help so much the average Internet user.
I have decided to tell you the story in plain English and simple tables, to see for yourself (an image is better than 1.000 words) – let me show you here a comparison table:
To obtain the lists of most common passwords used on each of the three hacked services shown in the table results above, the study author (Jimmy Ruska) used a total of 116.782 hacked passwords lists in his research, as follows:
- MySpace – 47.380 Phishing Login Passwords
- phpBB.com – 28.644 Hacked Account Passwords
- Singles.org – 40.758 Unsecured Plain Text Account Emails Passwords
… although not all of them 'have made it' to the combined lists of
top 20 most common passwords … however,
the results are definitely interesting to analyze.
There are a number of differences derived both from the way these were obtained:
- In the case of the phishing MySpace attacks, some of the users may still have recognized the attempt and could have input fake info, probably more 'vicious' than their real credentials would have been,
- While the other two are definitely extracted from the databases
on the one hand…
…but also due to the website's specificity and/or demographics
on the other hand:
- Singles.org being a Christian dating site, the occurrences of 'emo' and 'biblical' words is much higher, even the 'password' password is pushed one level down by the word 'jesus' – although I suspect in this case it is just another (twisted) variation of using the website's name (instead of 'christian', 'jesus' in this instance, while the others have their own: 'phpbb' and 'myspace1' where we notice the addition of a trailing '1' just because the signup requires a password containing at least one digit)
- MySpace is mainly a teenager's site, hence many of the passwords have something related to teenagers interests, such as sex, love, sports etc…
- phpBB being a forum, it is debatable how strong the passwords are from the start; it is notorious that on such websites, many users just throw some dump credentials in order to get access to tidbits of information otherwise locked out, but never plan to return there and keep the newly created profiles for future use – hence higher occurrences of numeric passwords, or test etc…
All in all, looking at all those commonly used passwords side-by-side, one cannot miss the pattern:
very, very weak security – so easy to guess passwords, that sometimes there is not even worth using a dedicated software to hack such accounts.
Most Common Passwords Letter Frequencies – "A SIN TO ERR"
A very interesting analysis may be conducted on each letter frequency in the most used passwords list.
For an in-depth analysis of the subject, I found a good starting point on this Wikipedia Letter frequencies article, but the said study took me two days to complete (the cryptography related topics are fascinating!) and I think I'd rather resume my findings for your convenience here.
In certain cryptographic techniques used by spies along the history, knowing the frequency of certain letters for a given language was a must.
For English, the most commonly used letters are, in order:
ETAON RISHD LFCMU GYPWB VKXJQ Z
Spies used the following mnemonic phrase to be able to easily recall these:
"A SIN TO ERR" (dropping the last 'R' we get the first 8 most used letters in the English Language, although not necessarily in that exact order…)
However, the first 12 are responsible for over 80% of the total usage, while the first 8 for about 65%…
Given this information, I was very curious about the letter frequencies distribution amongst the most commonly used passwords lists at hand. Analyzing the three lists above, I've got the following results:
You may observe that while the 8 most used letters in the English alphabet should be responsible for a total 65% of the general usage, the rate here is a bit lower (48% only)
But this is obviously due to the nature of the analysis, where the passwords lengths amongst the most used passwords comparison table were usually in the range of 6-8 characters, while the whole English dictionary would contain many longer (as well as shorter) words that would have added some 'meat' to the numbers… in any case, still consistent I'd say.
The obvious conclusions to be drawn from here would be, of course … try to use less frequent letters when you make your passwords folks!
Some more food for thought:
Most Commonly Used Passwords Lists Comparison Conclusions
The studies mentioned above, combined with yet a few others more, have made me draw the following conclusions:
Amongst the most frequently used passwords are simple to guess words or combinations like:
- '123456' or longer '12345678' and variations (like backwards: '654321' or crossed '159753' or '159357')
- variations of the user's firstname – over 16% of all cases!!!
- or the user's spouse or child's firstname,
- or other patterns on the keyboard, like 'qwerty' etc… HUGE … 14%!!!
- many times the user's birthdate
- or frequently names of things in the close vicinity (brand names like 'samsung' for instance, if their monitor would be of that type, etc…)
Even more in-depth analysis may be devised if we should add lazy behaviors of leaving the default usernames and passwords unchanged where they are available (usually exploited by hackers targeting hardware rather than software glitches, for instance routers factory default settings like user/pass combination of admin/admin < extremely frequent!)
While the security of one's passwords and logins are of the utmost importance, IMHO … there are people who would advocate selective passwords strengths for 'some' accounts while 'don't care' style on others…
I see a terrible danger in here!
The Common Passwords Used Multiple Times Threat
The hackers that would get hold of one of your less secure accounts credentials, may very well use those and try to login into other sites as well … and if you happened to use the same password more than once you'd be prone to see this spreading amongst all your profiles on the web, very soon…
Unfortunately this may end up with them getting hold of your main email account and from there there is just one more small step to your PayPal or other payment portals you are using, or your online banking credentials, etc…
For instance, the 4chan group used the login credentials they've got from the Singles.org database to access the same users' FaceBook or Twitter accounts, sending hate/racist or sex related messages to other people on those accounts' contact lists
They have been causing a great deal of embarrassment for the original owners when they were faced with strange accusations.
This happened because those people used the same usernames and logins for many different social networks accounts.
The only sensible thing to do is to use STRONG passwords all the time, different unique passwords for each website – never repeat one! I would also recommend not only to build STRONG passwords by making them longer or whatever, but by using a combination of uppercase with lowercase letters, special signs and digits wherever allowed, to obtain the maximum password strength possible…
If it seems too hard to implement – do not worry!
I found an automatic solution to help you achieve that easily.
I personally use RoboForm – and I have written an informative post about it (from the perspective of the ease of use more than security though … ) here:
I strongly encourage you to read that article too and download the RoboForm software as it is a free tool for most purposes …
… although I bought the Pro (paid) version that
suits other advanced uses too
(like automatically completing submission forms
for me whenever I join a memebership site,
like a GiveAway or other similar places
where there are lots of fields to fill)
The 500 most commonly used passwords list and other insights
The following download contains offensive language and words related to sex, hate, racism and more…
This material has been gathered exclusively from the input of real world users and public sources available on the Internet. These have been included solely to give you an insight into the minds of people using them.
I want to impress upon you that they have NOTHING to do with my own views, language, manners or mindset! If you would be upset by reviewing such offensive language and related words, I URGE you:
Please refrain yourself from downloading it!
That having been said … if you are interested to get a copy of the new report I'm preparing relative to the new Internet threats, security issues online and other interesting stuff, INCLUDING the whole table of 250 most commonly used passwords list that came up from the above analysis …
… PLUS (BONUS!!!) a list of the
TOP 500 most common passwords used online
- compiled by whatsmypass.com (a password recovery service) from the requests they've got …
The Godzilla Hack (over 32 million accounts from RockYou)
…Please signup for the notification list and
I'll make sure to send it to you ASAP
Preferably subscribe with a Gmail account
- highly recommended! –
to make sure you will be able to securely get
my message swiftly delivered to your Inbox!
IF you enjoyed "The Most Common Passwords Used For Logins Online" feel free to tweet about it, share on social networks like FaceBook, Digg, etc… and especially leave a comment below – Thank YOU!
"The Most Common Passwords Used For Logins Online" was compiled using the sources notified in the trackbacks.
There is a non-exhaustive bibliography included in the "TOP 500 Most Common Passwords Used Online FREE Report" as well…