The highest form of ignorance is when you reject something you don't know anything about.

Wayne Dyer (b 1940)

Most Used Passwords Of All Times

Most Used Passwords Of All Times

This list was compiled out of multiple passwords leaks, hacks and Social Engineering traps.
It's made for you to realize the importance of a good & strong password.
Please read the Do's and Don't, it may save you from misery.

The full list (updated constantly) is available HERE!
Last count ~ 1,500,000,000  

The following is compilation of real passwords lists composed of: (Name, Count)

Rockyou List       32,603,389      BlackKnights         5,088,332
Hash Hack                546,840      PhPbb List             184,389  
Gawker   Hack            82,600  (And counting .....~500,000 mini expected)
Tuscl                           38,820     MySpace Phished    37,144
Hotmail  Hack            21,652      Faithwriters hack        8,347
Angelfire                      8,087      Facebook Phished       6,540
Gawker   Release          2,651   (c) Gnosis
Common pswd used     2,445       Worst 500                 500
Most Used 500                500  (c) Mark Burnett
Twitter Banned                370       Gawker Most Used   250  (out of 400,000) (c) Duo Security
Facebook Stolen            ~150      

Total Raw                       ~ 38,000,000   Passwords

Total Duplicates Removed
Sorted by Occurrences: 19,584,249 Unique Passwords 

Fun Facts:  
- No Passwords in the top 1000 has a Sign! (!@#$%......etc)
- In the Raw List the following strings were found # times: "fuck" 74,326 : "love" 13,947 : "123" 1,265,285:  "1234" 691,434 : "monkey" 49,296,  etc etc ...
- It would not take long to create variations, adding millions to a crack list...
- Most of the top 2000 are derivatives of "words"
The first use of a capitalized letter is at position #800, in "PASSWORD"  (You can't see me, but I am crying...)
Twitter @GinaTrapani about the Gawker hack

- If you believe you are safe using "m0nk3y" instead of "monkey", you'll be in for a surprise. It would take an average of 15 seconds to crack it. Ditto for m0ndays, p@ssw0rd, etc ...
- It would take me a maximum of 6.5 minutes to run the first 500,000 passwords on Aircrack-ng, 3.7 minutes on JTR and 50 seconds on Aircrack-ng CUDA
- Today,  you can rent on Amazon EC2 for $2.10 an hour enough computing power to run ~50,000 pwsd/sec, or 180 million pwsd per hour.
- A medium sized botnet can churn 36 billion keys per hour. Free of charge.

You have been warned!  Choose wisely ....

Top 1000 Passwords of All Times

Top 2000 Passwords of All Times

All Times, That is until the next big one.. 

Top 10
Rank   Count     Password

   1:    290834    123456
   2:      79096    12345
   3:      76822    123456789
   4:      59494    password
   5:      49977    iloveyou
   6:      33314    princess
   7:      21748    1234567
   8:      20902    rockyou
   9:      20575    12345678
  10:     16662     abc123  

Do's and Don'ts

Don't use a Password! Use a Passphrase!
When asked to use a password, you have a tendency to use a "word". A single one! 
Instead, use a sentence or a phrase: It's easier to remember, easier to add Caps and spaces, and will increase the length of it by a factor of 2 or 3. 
Do Use Your Keyboard. The Entire Keyboard!
Just using numbers is the worst, adding letters is better, adding caps and lower caps is good. Now add signs and you'll have a very good Passphrase. If you to give me a hard time at cracking your password Passphrase, use a MAEP   : "Mnemonically Algorithmic Enhanced Passphrase"

A Mnemonically Algo What?
- Yes, I know, just the name.... 
Let's rephrase that as a "Easy to remember, complex Passphrase that changes..." 

- Let's pretend that your old password is "ilovebeef"  it's weak, and dead easy to crack. 
"ilovebeef" is all lower cap, made of easy words. 
Change that to: "I Love Beef"  You've added caps and spaces, and increased the length by 2ch without any pain remembering it.   As a hacker, I have now to run a much, much longer dictionary. Not good for me, but good for you! 
Still, "I Love Beef" is still "guessable" (but not found in the 38M passwords of the list)
Now, you know that "I" is in fact "you" 
"You" have probably plenty of personal numbers known only by you. i.e the last 4 digit of a number. 
So, take that number, i.e  "7845" and press the Shift Key of your keyboard.  you'll get "&*$%" 
Fyi, hack speaking, "&*$% Love Beef" start to be a tough one to crack. 
Now, imagine that you go "7845&*$% Love Beef" you still knows what it means, it's easy to remember, and generates 18 characters long. 
The Algo Part
On the Top of the passphrase,  you can add a prefix or suffix based on the website, It's a well know trick, but it adds few characters and increases by few fold the difficulty. 
Example, for Gmail, you can add a "+gmail" or  ~mail to your passphrase.  It allows you to change the passphrase each time for each website. 
So, coming from "ilovebeef" you can reach, without any remembering issue a "7845&*$% Love Beef~mail" or  "7845&*$% Love Beef~work"
Such password in practically uncrackable, and even a very very patient hacker will never have the time to brute force such. 
You don't have to use a 25 ch, 15 is long enough:   Consider that 15ch with the entire Keyboard (printable characters) generates 15^127 possibilities, or in number: 1,253,437,565,941,480,000,000,000,000,000,000,000
 Don't Trust Me! 
I mean, don't trust yourself too much. Or don't trust them too much.  Just in case of a smart phishing website, or a Gawker type stupid security, even the most secure passwords could be compromised.  One of the best solution is to use "disposable email addresses"
Keep a good one for important stuff, and use disposables for the rest.  Never link or use your "good" email address for things such as commenting on a website, Facebook, Twitter or your multiple groupon, yelp, linkedin, Skype, MSN, etc. 
If a disposable email address is compromised, just kill it and replace with another one. 
I can't remember them! 
Ok Then,  Use the MasterPassword on Firefox (free), or even better, use "1Password" (fee)
You also can generate your own true random Passphrase with  
(up to 63 True Random Printable ASCII). Virtually uncrackable as long as you stay over 12ch in length.

Want to know more?  

No comments:

Post a Comment