Most Common Passwords Used Online
A List of Common Passwords Used on Real Internet Hacked Accounts Logins
The Most Common Passwords Compile Sources Used In This Report
Some time ago (2009) … the Internet was 'taken by surprise' when a well known bulletin board script's home website was hacked:
- phpBB.com website hacked
(through a vulnerability in an outdated version of a third-party script called PHPList, almost 29.000 accounts were exposed)
As a result, the hackers were able to harvest a list of phpBB users emails and passwords.
This was not unprecedented, as in fact another list of passwords was harvested back in 2006 from MySpace, by some people who used a classical phishing scheme, simply making a copy of MySpace on a different server and waiting for users to login (thus getting their login credentials):
- MySpace phishing attack
(resulting in 34,000 – or even over 47.000 according to other sources – actual user names and passwords)
Warning: I have noticed a very similar trend lately on Skype (August 2010), where recently some Skype accounts were hacked too, then used to send links to all the hacked user's contacts requesting them to login into a phishing copy of Skype's login page to get hold of even more accounts and so forth…
- Skype phishing attack
(similar but with no disclosed reports yet as of how many have been actually hacked)
The above was not used as a Most Common Passwords resource though, due to lack of detailed info…
Last one to be mentioned, is a Christian dating website, whose database was hacked back in 2009:
- db.Singles.org hack
(based on a major security flaw that allowed a group called 4chan to get access – at least partially – to the over 40.000 users accounts and passwords; as the stated claimed number of members on that site was…)
The website used querystring parameters to identify a user and the mode the page displayed in yet allowing it to be put it in edit mode without having to be authenticated.
Further down there are a few thoughts regarding the dangers posed by these few (only the known ones) events, but before that, let's see which was the most used password in these lists?
In my opinion the winner is "123456", closely followed by "password" and their derivatives! But, read on…
Looks like people just don't get it … right?..
I mean … the password distribution analysis that follows shows how ridiculously simple to hack passwords are still used nowadays…
Most Commonly Used Passwords Analysis by Comparison
I won't pretend I ran this password patterns analysis by myself. On the contrary, I aggregated data from several known sources as you could see above. There is a non-exhaustive list of them listed at the bottom of the post though … if you want to read more in depth about all these – but generally the articles are very techie and won't help so much the average Internet user.
I have decided to tell you the story in plain English and simple tables, to see for yourself (an image is better than 1.000 words) – let me show you here a comparison table:
 | ||||
 |  |  |  |  |
 | ||||
To obtain the lists of most common passwords used on each of the three hacked services shown in the table results above, the study author (Jimmy Ruska) used a total of 116.782 hacked passwords lists in his research, as follows:
- MySpace – 47.380 Phishing Login Passwords
- phpBB.com – 28.644 Hacked Account Passwords
- Singles.org – 40.758 Unsecured Plain Text Account Emails Passwords
… although not all of them 'have made it' to the combined lists of
top 20 most common passwords … however,
the results are definitely interesting to analyze.
There are a number of differences derived both from the way these were obtained:
- In the case of the phishing MySpace attacks, some of the users may still have recognized the attempt and could have input fake info, probably more 'vicious' than their real credentials would have been,
- While the other two are definitely extracted from the databases
on the one hand…
…but also due to the website's specificity and/or demographics
on the other hand:
- Singles.org being a Christian dating site, the occurrences of 'emo' and 'biblical' words is much higher, even the 'password' password is pushed one level down by the word 'jesus' – although I suspect in this case it is just another (twisted) variation of using the website's name (instead of 'christian', 'jesus' in this instance, while the others have their own: 'phpbb' and 'myspace1' where we notice the addition of a trailing '1' just because the signup requires a password containing at least one digit)
- MySpace is mainly a teenager's site, hence many of the passwords have something related to teenagers interests, such as sex, love, sports etc…
- phpBB being a forum, it is debatable how strong the passwords are from the start; it is notorious that on such websites, many users just throw some dump credentials in order to get access to tidbits of information otherwise locked out, but never plan to return there and keep the newly created profiles for future use – hence higher occurrences of numeric passwords, or test etc…
All in all, looking at all those commonly used passwords side-by-side, one cannot miss the pattern:
very, very weak security – so easy to guess passwords, that sometimes there is not even worth using a dedicated software to hack such accounts.
Most Common Passwords Letter Frequencies – "A SIN TO ERR"
A very interesting analysis may be conducted on each letter frequency in the most used passwords list.
For an in-depth analysis of the subject, I found a good starting point on this Wikipedia Letter frequencies article, but the said study took me two days to complete (the cryptography related topics are fascinating!) and I think I'd rather resume my findings for your convenience here.
In certain cryptographic techniques used by spies along the history, knowing the frequency of certain letters for a given language was a must.
For English, the most commonly used letters are, in order:
ETAON RISHD LFCMU GYPWB VKXJQ Z
Spies used the following mnemonic phrase to be able to easily recall these:
"A SIN TO ERR" (dropping the last 'R' we get the first 8 most used letters in the English Language, although not necessarily in that exact order…)
However, the first 12 are responsible for over 80% of the total usage, while the first 8 for about 65%…
Given this information, I was very curious about the letter frequencies distribution amongst the most commonly used passwords lists at hand. Analyzing the three lists above, I've got the following results:
 | ||||
 |  |  |  |  |
 | ||||
 |  | |||
 | ||||
 | ||||
You may observe that while the 8 most used letters in the English alphabet should be responsible for a total 65% of the general usage, the rate here is a bit lower (48% only)
But this is obviously due to the nature of the analysis, where the passwords lengths amongst the most used passwords comparison table were usually in the range of 6-8 characters, while the whole English dictionary would contain many longer (as well as shorter) words that would have added some 'meat' to the numbers… in any case, still consistent I'd say.
The obvious conclusions to be drawn from here would be, of course … try to use less frequent letters when you make your passwords folks!
Some more food for thought:
Most Commonly Used Passwords Lists Comparison Conclusions
The studies mentioned above, combined with yet a few others more, have made me draw the following conclusions:
Amongst the most frequently used passwords are simple to guess words or combinations like:
- 'password'
- '123456' or longer '12345678' and variations (like backwards: '654321' or crossed '159753' or '159357')
- variations of the user's firstname – over 16% of all cases!!!
- or the user's spouse or child's firstname,
- or other patterns on the keyboard, like 'qwerty' etc… HUGE … 14%!!!
- many times the user's birthdate
- or frequently names of things in the close vicinity (brand names like 'samsung' for instance, if their monitor would be of that type, etc…)
Even more in-depth analysis may be devised if we should add lazy behaviors of leaving the default usernames and passwords unchanged where they are available (usually exploited by hackers targeting hardware rather than software glitches, for instance routers factory default settings like user/pass combination of admin/admin < extremely frequent!)
While the security of one's passwords and logins are of the utmost importance, IMHO … there are people who would advocate selective passwords strengths for 'some' accounts while 'don't care' style on others…
I see a terrible danger in here!
The Common Passwords Used Multiple Times Threat
The hackers that would get hold of one of your less secure accounts credentials, may very well use those and try to login into other sites as well … and if you happened to use the same password more than once you'd be prone to see this spreading amongst all your profiles on the web, very soon…
Unfortunately this may end up with them getting hold of your main email account and from there there is just one more small step to your PayPal or other payment portals you are using, or your online banking credentials, etc…
For instance, the 4chan group used the login credentials they've got from the Singles.org database to access the same users' FaceBook or Twitter accounts, sending hate/racist or sex related messages to other people on those accounts' contact lists
They have been causing a great deal of embarrassment for the original owners when they were faced with strange accusations.
This happened because those people used the same usernames and logins for many different social networks accounts.
The only sensible thing to do is to use STRONG passwords all the time, different unique passwords for each website – never repeat one! I would also recommend not only to build STRONG passwords by making them longer or whatever, but by using a combination of uppercase with lowercase letters, special signs and digits wherever allowed, to obtain the maximum password strength possible…
If it seems too hard to implement – do not worry!
I found an automatic solution to help you achieve that easily.
I personally use RoboForm – and I have written an informative post about it (from the perspective of the ease of use more than security though … ) here:
☛ RoboForm Filler and Passwords Manager ☚
I strongly encourage you to read that article too and download the RoboForm software as it is a free tool for most purposes …
… although I bought the Pro (paid) version that
suits other advanced uses too
(like automatically completing submission forms
for me whenever I join a memebership site,
like a GiveAway or other similar places
where there are lots of fields to fill)
The 500 most commonly used passwords list and other insights
WARNING:
The following download contains offensive language and words related to sex, hate, racism and more…
This material has been gathered exclusively from the input of real world users and public sources available on the Internet. These have been included solely to give you an insight into the minds of people using them.
I want to impress upon you that they have NOTHING to do with my own views, language, manners or mindset! If you would be upset by reviewing such offensive language and related words, I URGE you:
Please refrain yourself from downloading it!
That having been said … if you are interested to get a copy of the new report I'm preparing relative to the new Internet threats, security issues online and other interesting stuff, INCLUDING the whole table of 250 most commonly used passwords list that came up from the above analysis …
… PLUS (BONUS!!!) a list of the
TOP 500 most common passwords used online
- compiled by whatsmypass.com (a password recovery service) from the requests they've got …
&
The Godzilla Hack (over 32 million accounts from RockYou)
…Please signup for the notification list and
I'll make sure to send it to you ASAP
Preferably subscribe with a Gmail account
- highly recommended! –
to make sure you will be able to securely get
my message swiftly delivered to your Inbox!
 |  |
 |  |
 |  |
 |  |
 |  |
 |  |
 |  |
 |  |
IF you enjoyed "The Most Common Passwords Used For Logins Online" feel free to tweet about it, share on social networks like FaceBook, Digg, etc… and especially leave a comment below – Thank YOU!
"The Most Common Passwords Used For Logins Online" was compiled using the sources notified in the trackbacks.
There is a non-exhaustive bibliography included in the "TOP 500 Most Common Passwords Used Online FREE Report" as well…
Filed under Security Tips by on Sep 3rd, 2010. 9 Comments. 
Robo Form Fillers
The Fundamental First Step
Ever To Be Taken By A Newbie
IMer (Internet Marketer)
That Usually Nobody Tells You About -
The Best Password Manager
Form Fillers and Password Manager Software solutions are the most overlooked yet some of the most important tools for an Internet Marketer’s tool belt nowadays.
Indeed…if you have already explored a while around the net, you have obviously been driven to so numerous opportunities popping-up there, all of them so exciting…luring you into becoming their
- user, or
- affiliate, or
- member…
well, whatever they call it.
BUT…
…you’d need an elephant’s memory to remember all that stuff, wouldn’t you?
Therefore, I will proudly point out my advice for you…
(as there are so few others to tip you on that on the Internet)
…to closely consider these facts first:
- in order to surf safely, you need to carefully protect yourself, whenever possible, behind
- firewalls,
- anonymity,
- even fake IDs eventually;
- for testing purposes you might need more than one
- e-mail, or
- nickname, or
- screen-name, or
- username,
- etc…
ultimately more than only one virtual identity;
- in order to remain focused, you need
- to be very well organized,
- to keep your bookmarks categorized and properly named just as YOU wish;
- you will have to subscribe to
- many newsletters,
- e-zines,
- services,
- systems,
- membership sites and
- clubs and so on, forever…
- all of them with their own username and password;
- from time to time, you will need to make payments online,
- using your credit cards
(they all have their own code and expiry date and CVV) or - even through a service like PayPal, or…
- using your credit cards
If you run a regular offline business you’ll have your secretary and sometimes even more other people like your… say…
…accountant, to take care of these.
But online, especially for a typical work-at-home or Internet marketing type of business, you will be alone.
Therefore, YOU must be, then, your own secretary, right?
You will have to remember those www addresses you were surfing a while ago, which hopefully you’ve probably bookmarked somewhere – hmmm… but where, exactly? - and by the way…when you find those:
“Oh, Lord, what was the user and password I’ve set then?”
And if you happen to be just a trifle paranoid about security, just as I am…
(for good reason, believe me)
…especially when you are sitting in front of a different computer than your own home one, but not only – say…
…traveling and using an Internet Cafe, or…
…being still employed and having the urge to cheat on your employer’s schedule for you, by trying to surf a little bit more from work (not on my advice!), or…
…sharing the computer with your kids (they have the dangerous habit of downloading tons of improperly checked stuff from the net)
In all these cases and many, many more, you wouldn’t dare to type in your precious secret user names and passwords, credit card information or whatever other “delicate” stuff.
(that is, if you remember them, in the first place…)
Because nasty people invented the keyloggers.
Even your boss may use such – or other even worse, maybe – piece of spy software.
YES – They are used to spy on you!
Whenever you press a key on your keyboard it will be collected in a special secret file called log (hence the name: keylogger)
The next step is to send it to the evil guy through your connection and there you are: all your sensible data is now in the hands of someone else.
Generally, in order to keep track of ones activities, memberships, favorite pages, etc… people use to bookmark them in their browsers, which comes in handy, but usually without the corresponding usernames and passwords for easy access.
So, they face a few possible ”solutions” widely spread amongst millions and millions of other users:
- write down on paper and keep them safe
(rarely effective – soon you’ll lose it; and someone else might find it)
- write down on sticky notes and “glue” them on their monitor
(often – but… figure out for yourself why it’s wrong)
- create a general purpose nickname with a common-to-all password and stick to it
(lazy AND dangerous habit)
But there is hope!
A special software called password manager will solve all that and even more…
The name is not complete, though, because it does not only:
- memorize and keep track of your passwords, in conjunction with the appropriate usernames, plus
- bookmarks the corresponding login pages, and even
- bookmarks actually any page you wish in a customizable free manner
(you may create folders for categories and assign the bookmarks accordingly)
- let you create multiple identities for various purposes over the net, each of them crammed with whatever you might imagine as a matter of data:
- your first/sur/nick names;
- preferred e/snail mail address;
- business identity (name, address);
- bank details (name, addresses);
- bank account details;
- guess… card account details, sure;
- the list goes on and on and on…
all of them ready to be inserted into any possible fields you might encounter on your “surfing expeditions”.
Hmmm…
That’s right folks; it’s a form filler, too!
This is a powerful feature, because:
- once memorized first time, it will insert all the necessary data with only one click of the mouse; thus, any keylogger will be “blinded” by that, registering a single meaningless click instead of all your precious, private information;
- plus, once a login page is correctly bookmarked at its first encounter, it will also prevent you from being lured unconsciously into any phishing site later on.
Now, some people accused me at this point that I’m trying to sell it instead of reviewing it. But how can I help it?
It’s even better than I’ve already told you:
- one of its best features is portability (you may take it with you on your flash stick and thus, all your “sensibles” will be kept safe in your pocket; it will also autorun from there, no install needed, no traces left on the guest computer);
- another plus is that it will flawlessly work “in tandem” with another piece of useful software from the same producer (it’s really not me!!!
) to backup your data, to prevent you from losing it in case of theft, loss, break, etc… of your flash stick;
- but of course it may also backup whatever else you may wish, either on your hard drive, or on your… YES! You guessed: the same flash stick.
- the final touch I kept untold till now:
- forget the scrap of paper with passwords AND
- forget the sticky note on your monitor BUT
- KEEP your beloved
ONE-GOOD-FOR-ALL password handy, because it will become from now on…
THE PASSWORD
Why is that so?
Because while all your data will be kept safely (encrypted) by this software, away from foreign eyes, in order to access it you will need a master password to unlock it, which you will have to provide:
- every time you’ll plugin the flash stick into its slot, or, if you wish, even
- at regularly scheduled moments or,
- triggered by specific events; hopefully preventing this way other people from “peeking” in case that you accidentally forget to unplug the device when you leave the computer.
You may use whatever passwords
- you can imagine
(no matter how fancy and difficult to remember they might be), or - use the built-in facility to pick powerful, random generated passwords, even customized according to any site’s requirements
(such as preferred min/max length, accepted symbols, characters, etc…)
Then forget about them completely and concentrate onto your only, single
MASTER PASSWORD.
For tips and tricks on how to achieve the right complexity while still being able to remember it later, you may read more on my blog here.
So, what could there be more to say about this MASTER PIECE?
Well, a ton of other cool features on the producer’s site, which I’m already too exhausted to continue to tell you about, apart from only one more:
Even though in order to use it fully featured, you will have to pay a small onetime fee (which I recommend not for making money out of it, but simply because it’s worth it), if you intend to take it only for personal use, then…
IT’S FREE!
…both of them
(the password manager and the backup synchronizer) actually.
If it were on me, I would simply call them together:
A COMPLETE SOLUTION
NOW, HERE…
…YOU May DOWNLOAD The FREE:
Roboform Password Manager and Online Form Filler
&
GoodSync Backup Synchronizer
Filed under Software by on May 1st, 2010. 2 Comments.
Recent Comments