

Statistics of 62K Passwords - abyx
http://www.codelord.net/2011/06/18/statistics-of-62k-passwords/

======
donall
I'm sure nobody is surprised that the most common passwords are "123456",
"password", etc. There is a perception in communities like ours that the
average user is completely inept and shouldn't be trusted to create a secure
password, but I have to wonder how many of these passwords are actually
designed to be secure.

I often use enormously unsecure passwords when "signing up" for sites that
require registration to continue. I've probably created dozens of accounts
around the web with logins like 'qwerty:qwerty' or 'qwer4321:qwerfdsa'. This
isn't because I'm a moron, it's because I will never need to access the
account again and I therefore don't care about security. "qwerty" is easier to
type into a password field twice (for confirmation) than "glxCdsXX3_2".

I would be interested in seeing an analysis of the actual usage of accounts
with the most common passwords. It would be interesting to have a bot log into
a large amount of cracked accounts and download any usage history or generated
data that would indicate how often the account has been used. My guess is that
a significant number of the common-password accounts would have the same date
for "first created" and "last login". That data could be used to weight the
frequencies of the common passwords and paint a much more interesting picture.

------
Sapient
The 10th most common password was far too interesting for me to ignore. While
it is fairly easy to type, its not easy enough for it to be some sort of tap-
password.

Having a closer look at the list, and assuming the dump is organised in some
sort of chronological creation order, you can see that all the accounts which
use that password are created in several tight groups, share a fairly common
username theme (mostly female names), and use a fairly narrow selection of
email providers. I would guess they were made by a bot.

~~~
makmanalp
Yup, the article also says:

> My guess would have to be it’s some worm that resets the accounts it hacked
> into to it.

~~~
Sapient
Ah thanks, I need to learn to read gooder. The password got me so curious I
couldn't even finish reading the sentence.

Edit: Thinking about his explanation, it doesn't really make sense to me. If
that were really the case, those accounts would be more evenly distributed
through the list - yet they are tightly clustered, which leads me to think
they were created in groups (guessing the list has some sort of chronological
order).

~~~
busyant
I'm not sure what you mean by "clustered".

Where are you looking at the clustering?

------
macuenca
We built a "password strengthener" the other day. During the analysis phase,
we ran our passwords database (~10M accounts) against a dictionary. We wanted
to do this to ban the top ten most common used words among other things. The
results beyond top 10 were completely different than the ones pointed here by
the OP, the first 10 were almost exactly the same.

My take is that this depends considerably in your target audience, I'm not
disclosing which team I'm a member of, but if you run the same analysis to
come up with ideas on how to enforce users to chose better passwords, you'll
see how different the result are going to look.

~~~
carbocation
This implies that you're storing plaintext or unsalted hashed passwords,
right? What's the use case where this is necessary?

------
busyant
you can look at the password histogram here:
[http://public.tableausoftware.com/views/LulzSecPasswordBreak...](http://public.tableausoftware.com/views/LulzSecPasswordBreakdown/PasswordDashboard?:embed=yes&:toolbar=yes&:tabs=yes)

tableau public tends to be a little slow, tho.

------
andreasjansson
Ran it against /etc/dictionaries-common/words (en_US), 16% matches.

