So there’s this software company over in China that recently had around 6 million email address/passwords leaked to the internet.
Here is a list of the top most common passwords in that list, ranked in order of appearance.
If you use any passwords similar, or the exact same, as the passwords on this list – fix it!
These passwords all have things in common – easily guessable, repeating patterns, simple phrases.
Having used software built to use both brute force based & dictionary based password attacks I can give this piece of advice:
15-25 characters long, at least one capitol, at least one lower case, at least one number, at least one special character, no patterns, no real world words.
A good example of a strong password is Zingerpop.48$##$
Let me take a moment to break down why that is a strong password. If i were using a dictionary based attack on this password I would get nowhere. If I were using a brute force attack, I would have to use the lowercase character set(26), the upper case character set(26), the numeric character set(10), and the special character set(32). 26+26+10+32=94. For every “letter” in that password you can have 94 different characters. Compared to a simple password like apple it is much more secure.
Lets compare:
apple – Using a dictionary attack this password would be cracked in probably under 30 minutes. Using a brute force attack … lets see: 5 chars long. charsets: alpha-lower (26 letters in the alphabet) 26^5=26*26*26*26*26=11,881,376 iterations. Password cracker working at lets say 1500 attempts per minute(basic multi session brute force attempts on say a generic email account from some punk turd’s computer in his mommas basement) = 5.5 days till cracked by brute force, not good. If the password was used for a locally encrypted file, the attack could be executed much much faster and crack it within a few seconds.
Zingerpop.48$##$ – Using a dictionary attack this password would never, ever be cracked. It’s just simply too random & complex. Using a brute force attack… lets see: 16 chars long. charsets: alpha-lower(26), alpha-upper(26), alpha-numeric(10), alpha-special(32) = 94. 94^16=94*94*94*94*94*94*94*94*94*94*94*94*94*94*94*94=3.71574290834’31 iteration attempts. At 1500 attempts per minute it would take 4.71301738755’22 years.. Thats 47,130,173,875,500,000,000,000 years…. 47 sextillion years. That’s a really, really long time.
So, by simply adding a few upper case letters, numbers, special characters & using a proper password length, you can increase the time it takes to crack your password from a week to more time than we have left in the expected lifespan of our galaxy, the Milky Way.
So, on to the most common passwords list!
http://xkcd.com/936/
Your example has 128 bits of entropy, according to Keepassx. “apple” only has 40 bits.