Most common passwords list from 3 databases Posted on Saturday, February 28 2009

There has been three instances that I know of where a significant number of hacked account passwords have been publicly released. I have obtained the lists and made a thorough analysis of each of them, including the most common passwords and character frequencies. In total, there were 116782 passwords.

Singles.org Most Common Passwords

Rank % Repetitions Pass 1 1.02 417 123456 2 0.61 250 jesus 3 0.41 168 password 4 0.29 118 love 5 0.2 83 12345678 6 0.2 83 christ 7 0.17 68 jesus1 8 0.16 65 princess 9 0.16 64 blessed 10 0.15 63 sunshine 11 0.13 52 faith 12 0.13 51 1234567 13 0.12 50 angel 14 0.11 44 single 15 0.11 44 lovely 16 0.11 43 freedom 17 0.1 40 blessing 18 0.1 39 12345 19 0.1 39 grace 20 0.1 39 iloveyou 21 0.09 37 7777777 22 0.09 37 heaven 23 0.09 37 angels 24 0.09 37 shadow 25 0.09 35 1234 26 0.08 33 tigger 27 0.08 32 summer 28 0.08 31 hope 29 0.07 30 looking 30 0.07 29 peace 31 0.07 29 mother 32 0.07 29 michael 33 0.07 29 shalom 34 0.07 28 rotimi 35 0.07 28 football 36 0.07 27 victory 37 0.07 27 happy 38 0.07 27 purple 39 0.07 27 john316 40 0.07 27 joshua 41 0.06 26 london 42 0.06 26 superman 43 0.06 26 church 44 0.06 26 loving 45 0.06 25 computer 46 0.06 25 mylove 47 0.06 25 praise 48 0.06 25 saved 49 0.06 24 richard 50 0.06 24 pastor

phpBB Most Common Passwords

Rank % Repetitions Pass 1 3.03 868 123456 2 2.19 628 password 3 1.45 414 phpbb 4 0.94 269 qwerty 5 0.82 236 12345 6 0.6 171 letmein 7 0.59 168 12345678 8 0.53 151 1234 9 0.51 145 test 10 0.43 124 123 11 0.38 108 trustno1 12 0.33 95 dragon 13 0.32 91 hello 14 0.31 90 abc123 15 0.31 88 111111 16 0.31 88 123456789 17 0.3 87 monkey 18 0.29 83 master 19 0.23 65 killer 20 0.22 63 123123 21 0.22 63 computer 22 0.22 62 asdf 23 0.2 58 shadow 24 0.2 58 internet 25 0.2 58 whatever 26 0.2 56 starwars 27 0.17 50 1234567 28 0.16 47 cheese 29 0.16 46 pass 30 0.16 45 matrix 31 0.16 45 tigger 32 0.15 44 aaaaaa 33 0.15 44 pokemon 34 0.15 44 000000 35 0.15 43 superman 36 0.15 43 qazwsx 37 0.14 40 testing 38 0.14 40 football 39 0.14 39 1 40 0.13 38 blahblah 41 0.13 36 654321 42 0.13 36 fuckyou 43 0.13 36 11111 44 0.13 36 joshua 45 0.12 35 helpme 46 0.12 35 thomas 47 0.12 35 michael 48 0.12 35 biteme 49 0.12 35 forum 50 0.12 34 secret

Myspace Most Common Passwords

Rank % Repetitions Pass 1 0.24 112 password1 2 0.16 77 abc123 3 0.12 58 password 4 0.09 45 iloveyou1 5 0.09 41 iloveyou2 6 0.09 41 fuckyou1 7 0.08 38 myspace1 8 0.08 36 soccer1 9 0.07 32 iloveyou 10 0.06 29 iloveyou! 11 0.05 26 football1 12 0.05 25 fuckyou 13 0.05 23 123456 14 0.05 22 baseball1 15 0.05 22 soccer 16 0.05 22 123abc 17 0.04 20 hello1 18 0.04 20 qwerty1 19 0.04 20 summer1 20 0.04 20 monkey1 21 0.04 19 password2 22 0.04 19 nigger1 23 0.04 19 fuckyou! 24 0.04 18 nicole1 25 0.04 18 cheer1 26 0.04 18 asshole1 27 0.04 18 fuckyou2 28 0.04 17 blink182 29 0.04 17 poop 30 0.04 17 dancer1 31 0.04 17 jordan23 32 0.03 15 football 33 0.03 14 bitch1 34 0.03 14 orange1 35 0.03 14 soccer2 36 0.03 14 123456a 37 0.03 14 baseball 38 0.03 14 eagles1 39 0.03 13 volcom1 40 0.03 13 chris1 41 0.03 13 monkey 42 0.03 13 flower1 43 0.03 13 summer06 44 0.03 12 ashley1 45 0.03 12 love123 46 0.03 12 princess1 47 0.03 12 love 48 0.03 12 nigga1 49 0.03 12 fucker1 50 0.03 12 angel1

All 3 combined 250 most common passwords

Rank % Repetitions Pass 1 1.12 1308 123456 2 0.73 854 password 3 0.35 414 phpbb 4 0.25 294 qwerty 5 0.24 281 12345 6 0.23 265 jesus 7 0.22 253 12345678 8 0.17 195 1234 9 0.16 187 abc123 10 0.16 185 letmein 11 0.13 147 test 12 0.12 143 love 13 0.11 133 123 14 0.11 124 password1 15 0.1 121 hello 16 0.1 118 monkey 17 0.1 115 dragon 18 0.1 112 trustno1 19 0.09 107 111111 20 0.09 105 iloveyou 21 0.09 102 1234567 22 0.08 98 shadow 23 0.08 95 123456789 24 0.08 95 christ 25 0.08 93 sunshine 26 0.08 92 master 27 0.08 90 computer 28 0.08 88 princess 29 0.07 84 tigger 30 0.07 83 football 31 0.07 79 angel 32 0.07 76 jesus1 33 0.07 76 123123 34 0.07 76 whatever 35 0.06 74 freedom 36 0.06 73 killer 37 0.06 71 asdf 38 0.06 71 soccer 39 0.06 71 superman 40 0.06 71 michael 41 0.06 66 cheese 42 0.06 65 internet 43 0.06 65 joshua 44 0.05 64 fuckyou 45 0.05 64 blessed 46 0.05 63 baseball 47 0.05 59 starwars 48 0.05 59 000000 49 0.05 58 purple 50 0.05 58 jordan 51 0.05 58 faith 52 0.05 57 summer 53 0.05 57 ashley 54 0.05 56 buster 55 0.05 55 heaven 56 0.05 53 pepper 57 0.04 52 7777777 58 0.04 52 hunter 59 0.04 51 lovely 60 0.04 51 andrew 61 0.04 51 thomas 62 0.04 51 angels 63 0.04 50 charlie 64 0.04 50 daniel 65 0.04 49 1111 66 0.04 49 jennifer 67 0.04 49 single 68 0.04 49 hannah 69 0.04 48 qazwsx 70 0.04 48 happy 71 0.04 48 matrix 72 0.04 48 pass 73 0.04 48 aaaaaa 74 0.04 47 654321 75 0.04 47 amanda 76 0.04 47 nothing 77 0.04 46 ginger 78 0.04 46 mother 79 0.04 46 snoopy 80 0.04 46 jessica 81 0.04 46 welcome 82 0.04 45 pokemon 83 0.04 45 iloveyou1 84 0.04 45 11111 85 0.04 45 mustang 86 0.04 45 helpme 87 0.04 44 justin 88 0.04 44 jasmine 89 0.04 44 orange 90 0.04 44 testing 91 0.04 43 apple 92 0.04 43 michelle 93 0.04 42 peace 94 0.04 42 secret 95 0.04 42 1 96 0.04 42 grace 97 0.04 42 william 98 0.04 41 iloveyou2 99 0.04 41 nicole 100 0.04 41 666666 101 0.04 41 muffin 102 0.04 41 gateway 103 0.04 41 fuckyou1 104 0.03 40 asshole 105 0.03 40 hahaha 106 0.03 40 poop 107 0.03 40 blessing 108 0.03 40 blahblah 109 0.03 39 myspace1 110 0.03 39 matthew 111 0.03 39 canada 112 0.03 39 silver 113 0.03 39 robert 114 0.03 39 forever 115 0.03 38 asdfgh 116 0.03 38 rachel 117 0.03 38 rainbow 118 0.03 38 guitar 119 0.03 37 peanut 120 0.03 37 batman 121 0.03 37 cookie 122 0.03 37 bailey 123 0.03 37 soccer1 124 0.03 37 mickey 125 0.03 37 biteme 126 0.03 36 hello1 127 0.03 36 eminem 128 0.03 36 dakota 129 0.03 36 samantha 130 0.03 36 compaq 131 0.03 35 diamond 132 0.03 35 taylor 133 0.03 35 forum 134 0.03 35 john316 135 0.03 34 richard 136 0.03 34 blink182 137 0.03 34 peaches 138 0.03 34 cool 139 0.03 34 flower 140 0.03 34 scooter 141 0.03 33 banana 142 0.03 33 james 143 0.03 33 asdfasdf 144 0.03 33 victory 145 0.03 33 london 146 0.03 33 123qwe 147 0.03 33 123321 148 0.03 32 startrek 149 0.03 32 george 150 0.03 32 winner 151 0.03 32 maggie 152 0.03 32 trinity 153 0.03 32 online 154 0.03 32 123abc 155 0.03 32 chicken 156 0.03 32 junior 157 0.03 32 chris 158 0.03 31 passw0rd 159 0.03 31 austin 160 0.03 31 sparky 161 0.03 31 admin 162 0.03 31 merlin 163 0.03 31 google 164 0.03 31 friends 165 0.03 31 hope 166 0.03 31 shalom 167 0.03 30 nintendo 168 0.03 30 looking 169 0.03 30 harley 170 0.03 30 smokey 171 0.03 30 7777 172 0.03 30 joseph 173 0.03 30 lucky 174 0.03 30 digital 175 0.03 30 a 176 0.03 30 thunder 177 0.03 30 spirit 178 0.02 29 bandit 179 0.02 29 enter 180 0.02 29 anthony 181 0.02 29 corvette 182 0.02 29 hockey 183 0.02 29 power 184 0.02 29 benjamin 185 0.02 29 iloveyou! 186 0.02 29 1q2w3e 187 0.02 29 viper 188 0.02 29 genesis 189 0.02 28 knight 190 0.02 28 qwerty1 191 0.02 28 creative 192 0.02 28 foobar 193 0.02 28 adidas 194 0.02 28 rotimi 195 0.02 28 slayer 196 0.02 28 wisdom 197 0.02 27 praise 198 0.02 27 zxcvbnm 199 0.02 27 samuel 200 0.02 27 mike 201 0.02 27 dallas 202 0.02 27 green 203 0.02 27 testtest 204 0.02 27 maverick 205 0.02 27 onelove 206 0.02 27 david 207 0.02 27 mylove 208 0.02 27 church 209 0.02 27 friend 210 0.02 27 god 211 0.02 27 destiny 212 0.02 26 none 213 0.02 26 microsoft 214 0.02 26 222222 215 0.02 26 bubbles 216 0.02 26 11111111 217 0.02 26 cocacola 218 0.02 26 jordan23 219 0.02 26 ilovegod 220 0.02 26 football1 221 0.02 26 loving 222 0.02 26 nathan 223 0.02 26 emmanuel 224 0.02 26 scooby 225 0.02 26 fuckoff 226 0.02 26 sammy 227 0.02 26 maxwell 228 0.02 25 jason 229 0.02 25 john 230 0.02 25 1q2w3e4r 231 0.02 25 baby 232 0.02 25 red123 233 0.02 25 blabla 234 0.02 25 prince 235 0.02 25 qwert 236 0.02 25 chelsea 237 0.02 25 55555 238 0.02 25 angel1 239 0.02 25 hardcore 240 0.02 25 dexter 241 0.02 25 saved 242 0.02 25 112233 243 0.02 25 hallo 244 0.02 25 jasper 245 0.02 25 danielle 246 0.02 25 kitten 247 0.02 24 cassie 248 0.02 24 stella 249 0.02 24 prayer 250 0.02 24 hotdog

Myspace Phising: 47380 Account Passwords

In 2006 there was a large scale phishing attack on myspace accounts. Someone found the file on the server where the compromised accounts were being saved to. 47380 emails / passwords were found. A password analysis was done here and here.

phpBB.com: 28644 Account Passwords

In January 2009 someone noticed an exploit listed on milw0rm for PHPlist, a newletter manager. They found it was running phpBB.com's server and used the exploit to steal passwords of users that logged in over the coming weeks. The hacker wasn't caught but rather made a blogspot account and bragged about it uploading the entire user database (passwords encrypted) and the usernames and passwords of those who logged in while he or she was in control. 28644 username and passwords were uploaded to file sharing sites. A password analysis was done here.

Singles.org: 40758 Account Passwords

On Feb 21 2009 it was discovered that singles.org, a christian dating network, did not have any security at all. Logging in and going to 'edit profile', you can see your email, password and other information. The problem is if you give someone the link anyone else can see it too, without logging in. Since the only thing different from person to person was the userid, people just changed the number to see other people's email and password information. Someone made a bot to loop through the pages and captured 40758 username and passwords, then released it to the public. It was later confirmed ebaumsworld did it.

Demographics differences of the pass lists

Myspace is mostly teens, phpBB is a forum and singles.org is a christian dating site. Teens tend to be more up to date on technology and use better passwords. Myspace also requires that the password be at least 6 characters I believe (the hack was in 2006 so they didn't require numeric also maybe). Teens are more likely to use references to pop culture than dictionary words or first names. Also since the myspace list is from a phishing attempt aware people often used the fields to insult the scammer so there's a lot more noise to the list. People tend to use throw away accounts on forums like phpbb because they only sign up to get an answer real quick. Also brute force attacks are much more difficult since it uses captchas and limits login attempts. Singles.org is for christians so you'll see more biblical related passwords.

Brute Force wordlist susceptibility analysis

If I had done a brute force attack on all the users this is how many accounts I would have compromised with different dictionaries. The % indicated how successful the dictionary is as a whole, or it could be interpreted as the percent chance each individual account has of being hacked by the associated dictionary.



List Singles.org % phpBB % Myspace %

First names 5009 12% 4602 16% 854 2%

Dictionary 7200 18% 15739 55% 2163 5%

Milw0rm 10743 26% 20878 73% 4027 8%

Insidepro 14264 35% 19807 69% 2904 6%



About the word lists

Firstnames is a list of 5495 parsed first names from ssa.gov and the wikipedia entry of most common given names. Dictionary represents a parsed version of the open office english dictionary (hunspell actually) containing 62220 words. Milw0rm is a a list of cracked passes from milw0rm.com that were submitted to their hash cracker. Insidepro has a english wordlist with many common passes.

The problem is, tiny but efficient lists like the firstnames list can easily be used against web forms that don't have captchas for their login in a practical amount of time. It's even faster with sites like twitter and tumblr with efficient APIs or ajax based logins that send very small amounts of data for validation or can be checked simply by the http return code (eg. 302 for fail, login redirect, and 200 for success). The guy that vandalized 33 twitter profiles actually just did a brute force dictionary attack on a twitter admin and found her password was 'happiness'. They probably won't limit login attempts because many twitter apps rely on connecting to thousands of users accounts from the same servers. Multithreaded pipelined programs on high bandwidth connections can easily do several hundred to a few thousands of requests per minute. SSL slows things down significantly but it's still possible to brute force.

Most Common Password Length



Singles.org

Pass Length Amount Frequency

8 12855 31.54%

6 12712 31.19%

7 9052 22.21%

5 3551 8.71%

4 2207 5.41%

3 317 0.78%

2 50 0.12%

1 10 0.02%

phpbb.com

Pass Length Amount Frequency

6 10072 35.19%

8 4430 15.48%

7 4180 14.6%

5 3804 13.29%

4 3518 12.29%

9 1089 3.8%

3 837 2.92%

10 327 1.14%

2 155 0.54%

1 98 0.34%

11 63 0.22%

12 26 0.09%

13 14 0.05%

16 4 0.01%

14 4 0.01%

15 2 0.01%

Myspace

Pass Length Amount Frequency

7 11558 24.39%

8 10820 22.84%

6 8734 18.43%

9 7693 16.24%

10 5586 11.79%

11 1049 2.21%

5 671 1.42%

4 500 1.06%

12 348 0.73%

13 125 0.26%

14 71 0.15%

3 40 0.08%

16 29 0.06%

15 22 0.05%

1 16 0.03%

2 15 0.03%

18 13 0.03%

17 12 0.03%

63 10 0.02%

23 9 0.02%

19 9 0.02%

20 9 0.02%

24 5 0.01%

25 4 0.01%

22 3 0.01%

32 3 0.01%

60 3 0.01%

21 3 0.01%

28 3 0.01%

Combined

Pass Length Amount Frequency

6 31518 26.99%

8 28105 24.07%

7 24790 21.23%

9 8782 7.52%

5 8026 6.87%

4 6225 5.33%

10 5913 5.06%

3 1194 1.02%

11 1112 0.95%

12 374 0.32%

2 220 0.19%

13 139 0.12%

1 124 0.11%

14 75 0.06%

16 33 0.03%

15 24 0.02%

18 14 0.01%

17 12 0.01%

20 11 0.01%

63 10 0.01%

23 9 0.01%

19 9 0.01%



Character Frequency Analysis

Shows which numbers, letters, etc. occur the most often in the password and at what percent. See the wikipedia article on most common letter frequencies. Targeted character sets can be used to more quickly brute force longer possibilities with a reasonable pace.

Singles.org

Letter Amount Frequency ASCII

e 23875 8.84% 0x65

a 21970 8.13% 0x61

o 16234 6.01% 0x6f

s 15120 5.6% 0x73

i 14651 5.42% 0x69

n 13985 5.18% 0x6e

r 13733 5.08% 0x72

l 12971 4.8% 0x6c

t 10205 3.78% 0x74

m 8793 3.25% 0x6d

1 8348 3.09% 0x31

d 8112 3% 0x64

c 7484 2.77% 0x63

h 7174 2.66% 0x68

u 6859 2.54% 0x75

y 6637 2.46% 0x79

b 6465 2.39% 0x62

g 6145 2.27% 0x67

2 6026 2.23% 0x32

p 5198 1.92% 0x70

0 4742 1.75% 0x30

k 4495 1.66% 0x6b

3 4417 1.63% 0x33

7 4111 1.52% 0x37

4 4047 1.5% 0x34

5 3602 1.33% 0x35

j 3558 1.32% 0x6a

6 3525 1.3% 0x36

f 3192 1.18% 0x66

9 3122 1.16% 0x39

w 3066 1.13% 0x77

v 3005 1.11% 0x76

8 2824 1.05% 0x38

z 1242 0.46% 0x7a

x 827 0.31% 0x78

q 371 0.14% 0x71

_ 63 0.02% 0x5f

@ 4 0% 0x40

. 4 0% 0x2e

phpbb

Letter Amount Frequency ASCII

e 15716 8.95% 0x65

a 15434 8.79% 0x61

o 11093 6.32% 0x6f

r 10766 6.13% 0x72

s 10421 5.93% 0x73

n 9343 5.32% 0x6e

i 9210 5.24% 0x69

t 8391 4.78% 0x74

l 7657 4.36% 0x6c

m 5724 3.26% 0x6d

d 5679 3.23% 0x64

1 5488 3.13% 0x31

p 5435 3.1% 0x70

c 4961 2.83% 0x63

h 4793 2.73% 0x68

b 4286 2.44% 0x62

2 3643 2.07% 0x32

u 3586 2.04% 0x75

g 3224 1.84% 0x67

3 3210 1.83% 0x33

w 3197 1.82% 0x77

k 3079 1.75% 0x6b

y 2966 1.69% 0x79

4 2346 1.34% 0x34

f 2264 1.29% 0x66

5 2241 1.28% 0x35

6 1924 1.1% 0x36

0 1333 0.76% 0x30

v 1332 0.76% 0x76

j 1130 0.64% 0x6a

x 970 0.55% 0x78

q 963 0.55% 0x71

8 957 0.54% 0x38

7 957 0.54% 0x37

z 943 0.54% 0x7a

9 798 0.45% 0x39

* 87 0.05% 0x2a

@ 10 0.01% 0x40

7 0% 0x20

. 6 0% 0x2e

; 6 0% 0x3b

$ 5 0% 0x24

# 3 0% 0x23

! 3 0% 0x21

- 2 0% 0x2d

^ 2 0% 0x5e

/ 2 0% 0x2f

, 2 0% 0x2c

% 2 0% 0x25

` 1 0% 0x60

& 1 0% 0x26

~ 1 0% 0x7e

_ 1 0% 0x5f

MySpace

Letter Amount Frequency ASCII

e 28732 7.71% 0x65

a 26097 7% 0x61

1 23357 6.27% 0x31

o 20336 5.46% 0x6f

s 18222 4.89% 0x73

i 18032 4.84% 0x69

r 17489 4.69% 0x72

l 17061 4.58% 0x6c

n 15956 4.28% 0x6e

t 13227 3.55% 0x74

2 12751 3.42% 0x32

c 11535 3.1% 0x63

m 10592 2.84% 0x6d

b 9094 2.44% 0x62

d 9086 2.44% 0x64

y 9067 2.43% 0x79

h 9012 2.42% 0x68

u 8526 2.29% 0x75

3 8436 2.26% 0x33

0 8421 2.26% 0x30

k 7508 2.02% 0x6b

p 7119 1.91% 0x70

g 6804 1.83% 0x67

4 5892 1.58% 0x34

9 5786 1.55% 0x39

8 5327 1.43% 0x38

5 5238 1.41% 0x35

6 5118 1.37% 0x36

7 4751 1.28% 0x37

f 4532 1.22% 0x66

w 3962 1.06% 0x77

v 3768 1.01% 0x76

j 3454 0.93% 0x6a

! 1899 0.51% 0x21

z 1547 0.42% 0x7a

x 1501 0.4% 0x78

. 1080 0.29% 0x2e

q 561 0.15% 0x71

* 303 0.08% 0x2a

227 0.06% 0x20

- 176 0.05% 0x2d

$ 139 0.04% 0x24

@ 128 0.03% 0x40

_ 122 0.03% 0x5f

< 110 0.03% 0x3c

? 83 0.02% 0x3f

' 68 0.02% 0x27

; 64 0.02% 0x3b

, 52 0.01% 0x2c

= 35 0.01% 0x3d

/ 29 0.01% 0x2f

` 28 0.01% 0x60

: 26 0.01% 0x3a

] 23 0.01% 0x5d

) 19 0.01% 0x29

~ 12 0% 0x7e

( 12 0% 0x28

% 11 0% 0x25

[ 9 0% 0x5b

^ 7 0% 0x5e

> 4 0% 0x3e

} 3 0% 0x7d

" 3 0% 0x22

{ 2 0% 0x7b

n 1 0% 0xfc

S 1 0% 0xe4

² 1 0% 0xfd

Ö 1 0% 0x99

G 1 0% 0xe2

É 1 0% 0x90

|1 0% 0x7c

¬ 1 0% 0xa9

í 1 0% 0xa1

All Combined

Letter Amount Frequency ASCII

e 68323 8.35% 0x65

a 63501 7.76% 0x61

o 47663 5.82% 0x6f

s 43763 5.35% 0x73

r 41988 5.13% 0x72

i 41893 5.12% 0x69

n 39284 4.8% 0x6e

l 37689 4.61% 0x6c

1 37193 4.54% 0x31

t 31823 3.89% 0x74

m 25109 3.07% 0x6d

c 23980 2.93% 0x63

d 22877 2.8% 0x64

2 22420 2.74% 0x32

h 20979 2.56% 0x68

b 19845 2.42% 0x62

u 18971 2.32% 0x75

y 18670 2.28% 0x79

p 17752 2.17% 0x70

g 16173 1.98% 0x67

3 16063 1.96% 0x33

k 15082 1.84% 0x6b

0 14496 1.77% 0x30

4 12285 1.5% 0x34

5 11081 1.35% 0x35

6 10567 1.29% 0x36

w 10225 1.25% 0x77

f 9988 1.22% 0x66

7 9819 1.2% 0x37

9 9706 1.19% 0x39

8 9108 1.11% 0x38

j 8142 0.99% 0x6a

v 8105 0.99% 0x76

z 3732 0.46% 0x7a

x 3298 0.4% 0x78

! 1902 0.23% 0x21

q 1895 0.23% 0x71

. 1090 0.13% 0x2e

* 390 0.05% 0x2a

234 0.03% 0x20

_ 186 0.02% 0x5f

- 178 0.02% 0x2d

$ 144 0.02% 0x24

@ 142 0.02% 0x40

< 110 0.01% 0x3c

? 83 0.01% 0x3f

; 70 0.01% 0x3b

' 68 0.01% 0x27

, 54 0.01% 0x2c

= 35 0% 0x3d

/ 31 0% 0x2f

` 29 0% 0x60

: 26 0% 0x3a

] 23 0% 0x5d

) 19 0% 0x29

~ 13 0% 0x7e

% 13 0% 0x25

( 12 0% 0x28

[ 9 0% 0x5b

^ 9 0% 0x5e

> 4 0% 0x3e

" 3 0% 0x22

# 3 0% 0x23

} 3 0% 0x7d

{ 2 0% 0x7b

Ö 1 0% 0x99

& 1 0% 0x26

S 1 0% 0xe4

² 1 0% 0xfd

¬ 1 0% 0xa9

|1 0% 0x7c

É 1 0% 0x90

G 1 0% 0xe2

í 1 0% 0xa1

n 1 0% 0xfc



Someone could have a database with your info on it

It's possible your account information has already been hacked before. Huge sites like thepiratebay, reddit, stage6, kaspersky, credit card online payment services, bitdefender and monster.com (several times) to name a few have all been hacked or had backup drives stolen. Given it's pretty damaging information it would be no surprise that companies don't report such things. Singles.org said it reset all the passwords for 'maintenance' instead of acting immediately urging all users to change their passwords for any other account that used the same pass. In the meantime screenshots of vandalized facebooks, emails with messages to everyone in the address book saying the person has aids or has converted to islam, and even abused paypal and amazon payments were showing up. It's also possible the site administrators don't even realise their server has been compromised and the hacker can log any password for as long as they go undetected, as with the case of the phpbb hack. If your information is being sent to another server when you click login it doesn't make a difference how your pass is being hashed in the database. Even if your passwords are encrypted in a one way hash brute force attacks are possible and as cpu and gpu capabilities increase passwords only get weaker and easier to crack. Myspace, youtube, facebook accounts, etc are relatively safe so long as they have a captcha. You're more likely to get your password hacked from some random not-so-popular site or forum that you might have long forgot about by now.

Final Notes

It's a shame people's username are most often longer and much more harder to guess than their actual passwords. More time is spent thinking of a unique username than password because most are already taken in sites with a huge userbase. You should never use the same password for all your accounts and should always use a completely different password for your email, a password you use nowhere else. Recently a lot of screenshots of vandalism using singles.org email / facebook accounts have popped up. Once a hacker gets into your email they can get all the other passwords you might use for different accounts. People don't think hackers would go out of their way to hurt them personally but it's usually the case that they get their hands on a database and just go through the list without personally knowing anyone, looking for financial data or just being trolls. Many sites are hacked by script kiddies with no programming skills who lurk for exploits which they can copy and paste and use their favorite apps to try to brute force the passwords which are encrypted.

The myspace list has a higher probability of inaccuracy as several people could have noticed it was a phising site and filled it out inaccurately just to flood or put offensive things just attacking the person phising. I tried to filter out the obvious fake responses and remove dupes. There's always the chance people make several accounts with different email addresses and it skews the results; this shouldn't skew the results too much given the amount of accounts.

More Analysis to come maybe

What percentage of accounts would have been hacked after x time of being brute forced (All possibilites, not wordlists) using cuda gpu bruteforcers if the passwords were stored as md5. What percentage of accounts have numbers at the end and what are the most common eg 0-9, 007, 666, 2009 More dictionary tests % only alphanumeric and numeric

More

Most common passwords and how hackers get your password.

Tags:

More OMFG-Good Links

phpbb password analysis, myspace password analysis, most common passwords, most common passwords of all time, paswords, pasword, 4chan, 4 chan, pass word, hackers wordlists, word lists, security analysis, operation jesus, ebaums world singles.org, ebaumsworld, anonymous, most common passwords anaylsis, analysis of phpbb passwordsShare:See all Posts in the Funny Pictures category.Download mp3s faster than limewire using google.I've made 100+ free video tutorials See the best of the internet today on one page.