Statistics on passwords are rare things. Anyone with the tiniest clue about computer security knows that passwords should be stored in some encrypted form to ensure that if someone did break into your system they couldn’t just read everyone’s passwords. Clearly the world is not just full of smart people so when a largish website got hacked a little while back and its passwords were found to be in plain text the result was inevitable, they got released to the public.
Here is an article with some details on some of the statistics drawn from said publicly released passwords. There are some odd ones in there and some slightly scary ones. http://www.physorg.com/news153650514.html
However, the story doesn’t end there. You see, I happen to be part of a big site that stores it’s passwords in this painfully bad plain text way. I also happen to be fairly high up there and have at times helped out with the codebase and database. In fact, I still had an old database backup kicking around which I hadn’t got round to removing. Now Physorg had 28,000 passwords to look at. I on the other hand have over 130,000! Suffice to say, this is probably more passwords than almost anyone else in the world can get hold of due to most sites default security.
Of course with a resource like that I couldn’t help but do a little statistical analysis. Here is a list of the most popular passwords along with the number of times each was used in the 130,000 people.
| Password | Count |
| 88u6755r34 | 1367 |
| 123456 | 1269 |
| password | 836 |
| mchs2005 | 471 |
| 12345678 | 390 |
| Allahakbar | 284 |
| 12345 | 357 |
| humyhumy | 356 |
| catsca | 336 |
| binky | 321 |
| junior | 315 |
| 123456789 | 301 |
| tree777 | 295 |
| brolly | 259 |
| dolphin | 237 |
| aaaaa | 233 |
| liverpool | 231 |
| qwerty | 226 |
| compaq | 207 |
| princess | 200 |
| vagina | 185 |
| mj8jr2 | 183 |
| iloveyou | 173 |
| 111111 | 155 |
| 82308230 | 152 |
| hello | 149 |
| music000 | 145 |
| whatever | 131 |
| class3kill | 126 |
| monkey | 126 |
The first thing that strikes me about these results is the number one password is a very very odd one. In fact, my guess for some of the more random results at the top is they are due to spammers. The site this data comes from has issues with several members making loads and loads of fake accounts.In fact, I have passed this data onto the site owner as a possible way of identifying this person more accurately.
Next we have the string “123456”. This password makes up almost 1% of results. This is a huge number and actually pretty scary really if you think about it. What is even more scary is that if you take the numbers 1 to 9 and 10 as a string (aka, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 12345678910) you end up covering almost 2% of all the passwords.
I also find it a bit of a worry when we have things like “password” and “qwerty” appearing high up the list too.
The other thing i noticed from this data is the number of real world words appearing. By this I mean things susceptible to a dictionary attack.
I thought by now, especially teens (which is who this is data is from) would know what is and what isn’t a good password. Ideally it should be something unrelated to you (so not your date of birth!), something not in the dictionary, contain at least a mix of letters and numbers and if at all possible, be a miss spelling with random capitalization. So, something like gU1t4 for guitar, or how about pU2z1e for puzzle. It should be something that you find easy to remember or work out. car number plates are good, but don’t use your current one. old phone numbers, maybe with letters in the place of some numbers.
Failing that, use something like Keepass. It stores login details including passwords and locks them all under one master password that you should never write down.