Passwords

So there’s this software company over in China that recently had around 6 million email address/passwords leaked to the internet.

Here is a list of the top most common passwords in that list, ranked in order of appearance.

If you use any passwords similar, or the exact same, as the passwords on this list – fix it!

These passwords all have things in common – easily guessable, repeating patterns, simple phrases.

Having used software built to use both brute force based & dictionary based password attacks I can give this piece of advice:

15-25 characters long, at least one capitol, at least one lower case, at least one number, at least one special character, no patterns, no real world words.

A good example of a strong password is    Zingerpop.48$##$

Let me take a moment to break down why that is a strong password.  If i were using a dictionary based attack on this password I would get nowhere. If I were using a brute force attack, I would have to use the lowercase character set(26), the upper case character set(26), the numeric character set(10), and the special character set(32). 26+26+10+32=94. For every “letter” in that password you can have 94 different characters.  Compared to a simple password like apple it is much more secure.

Lets compare:

apple – Using a dictionary attack this password would be cracked in probably under 30 minutes. Using a brute force attack … lets see: 5 chars long. charsets: alpha-lower (26 letters in the alphabet) 26^5=26*26*26*26*26=11,881,376 iterations. Password cracker working at lets say 1500 attempts per minute(basic multi session brute force attempts on say a generic email account from some punk turd’s computer in his mommas basement) = 5.5 days till cracked by brute force, not good. If the password was used for a locally encrypted file, the attack could be executed much much faster and crack it within a few seconds.

Zingerpop.48$##$ – Using a dictionary attack this password would never, ever be cracked. It’s just simply too random & complex. Using a brute force attack… lets see: 16 chars long. charsets: alpha-lower(26), alpha-upper(26), alpha-numeric(10), alpha-special(32) = 94. 94^16=94*94*94*94*94*94*94*94*94*94*94*94*94*94*94*94=3.71574290834’31 iteration attempts. At 1500 attempts per minute it would take 4.71301738755’22 years.. Thats 47,130,173,875,500,000,000,000 years…. 47 sextillion years. That’s a really, really long time.

So, by simply adding a few upper case letters, numbers, special characters & using a proper password length, you can increase the time it takes to crack your password from a week to more time than we  have left in the expected lifespan of our galaxy, the Milky Way.

So, on to the most common passwords list!

(PASSWORD, NUMBER OF TIMES FOUND)
(‘123456789’, 235039)
(‘12345678’, 212761)
(‘11111111’, 76348)
(‘dearbook’, 46053)
(‘00000000’, 34953)
(‘123123123’, 20010)
(‘1234567890’, 17794)
(‘88888888’, 15033)
(‘111111111’, 6995)
(‘147258369’, 5966)
(‘987654321’, 5555)
(‘aaaaaaaa’, 5460)
(‘1111111111’, 5145)
(‘66666666’, 5026)
(‘a123456789’, 4435)
(‘11223344’, 4096)
(‘1qaz2wsx’, 3672)
(‘xiazhili’, 3649)
(‘789456123’, 3610)
(‘password’, 3503)
(‘87654321’, 3282)
(‘qqqqqqqq’, 3277)
(‘000000000’, 3176)
(‘qwertyuiop’, 3143)
(‘qq123456’, 3094)
(‘iloveyou’, 3085)
(‘31415926’, 3063)
(‘12344321’, 2985)
(‘0000000000’, 2886)
(‘asdfghjkl’, 2826)
(‘1q2w3e4r’, 2797)
(‘123456abc’, 2581)
(‘0123456789’, 2578)
(‘123654789’, 2573)
(‘12121212’, 2540)
(‘qazwsxedc’, 2516)
(‘abcd1234’, 2397)
(‘12341234’, 2381)
(‘110110110’, 2348)
(‘asdasdasd’, 2298)
(‘22222222’, 2243)
(‘123456’, 2180)
(‘123321123’, 2166)
(‘abc123456’, 2160)
(‘a12345678’, 2138)
(‘123456123’, 2113)
(‘a1234567’, 2108)
(‘1234qwer’, 2100)
(‘qwertyui’, 1989)
(‘123456789a’, 1987)
(‘aa123456’, 1971)
(‘asdfasdf’, 1920)
(‘99999999’, 1891)
(‘999999999’, 1859)
(‘123456aa’, 1859)
(‘123456123456’, 1854)
(‘520520520’, 1699)
(‘963852741’, 1656)
(‘741852963’, 1652)
(‘55555555’, 1652)
(‘33333333’, 1589)
(‘qwer1234’, 1481)
(‘asd123456’, 1384)
(‘77777777’, 1339)
(‘qweasdzxc’, 1316)
(‘code8925’, 1285)
(‘11112222’, 1273)
(‘ms0083jxj’, 1268)
(‘zzzzzzzz’, 1245)
(‘111222333’, 1214)
(‘qweqweqwe’, 1206)
(‘3.1415926’, 1200)
(‘123456qq’, 1183)
(‘147852369’, 1148)
(‘521521521’, 1136)
(‘asdf1234’, 1122)
(‘123698745’, 1111)
(‘1123581321’, 1109)
(‘asdfghjk’, 1058)
(‘q1w2e3r4’, 1054)
(‘12345678a’, 1039)
(‘!@’, 1006)
(‘woaini1314’, 1005)
(‘1234abcd’, 991)
(‘123qweasd’, 988)
(‘1qazxsw2’, 977)
(‘woaiwojia’, 968)
(‘321321321’, 920)
(‘05962514787’, 910)
(‘123456987’, 894)
(‘kingcom5’, 892)
(‘zxcvbnm123’, 882)
(‘5845201314’, 882)
(”, 863)
(‘0987654321’, 853)
(‘wwwwwwww’, 847)
(‘11111111111111111111’, 835)
(‘12345600’, 805)
(‘11235813’, 783)
(‘1q2w3e4r5t’, 777)

2 thoughts on “Passwords

Comments for Dave?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s