The highest form of ignorance is when you reject something you don't know anything about.

Wayne Dyer (b 1940)

Top 100 Worst Passwords of All Time

This list is a compilation of 49 leaks and hacks that were made public.
The Master Passwords 2014 Wordlist is composed of about 598,712,000 real passwords.
The details are explained below in the < Rant > part. 

If anyone has news about:
 1) WPT Amateur Poker League
 2) eBay 
Please let me know, we could find a mutually beneficial exchange of information.

I have bad news for you:
In the past 20 years, computers have evolved incredibly fast.  Alas, our brains did not and people are still really bad at picking passwords.  As we've been stuck with the same brain for a while, we tend to think alike and people keep on picking the same (bad) passwords, or patterns over and over again. The bad news?  a quick statistical analysis will provide you (or me) (or the bad guy) with enough ammo to rip your  

This list differs slightly from the previous with newcomers to the top 100, mainly thanks to Adobe "House-Of-Cards" Protocol: A single user can reveal the password of 10,000 1,911,938 others (exactly) (within minutes)

Take a look below and you'll be surprised.

The full Master Passwords list is available here
Passwords in italic are patterns based

Rank Count Password Rank Count Password Rank Count Password
1 1343751 123456 34 34986 charlie 67 23946 internet
2 523769 123456789 35 34969 computer 68 23832 asdfasdf
3 411288 password 36 34771 asdfgh 69 23713 zxcvbnm
4 223699 12345678 37 34711 nicole 70 23508 buster
5 211665 adobe123 38 34157 michelle 71 23497 1qaz2wsx
6 146405 1234567 39 34108 superman 72 23353 asdfghjkl
7 145684 qwerty 40 33875 tigger 73 23294 555555
8 127770 111111 41 33376 chocolate 74 23026 753951
9 123196 12345 42 32941 121212 75 22795 summer
10 99254 iloveyou 43 32684 soccer 76 22786 123qwe
11 92613 123123 44 31825 fuckyou 77 22636 alexander
12 89501 000000 45 30539 football 78 22594 rockyou
13 89196 abc123 46 29749 jordan 79 22474 killer
14 85660 1234567890 47 29309 master 80 22198 pepper
15 83473 photoshop 48 28928 jennifer 81 22109 fdsa
16 63929 princess 49 28842 987654321 82 21919 asdasd
17 63158 1234 50 28760 112233 83 21470 qazwsx
18 57964 654321 51 28538 liverpool 84 21135 222222
19 56758 adobe1 52 28516 hannah 85 20920 ginger
20 56680 macromedia 53 27841 adobeadobe 86 20470 freedom
21 49519 azerty 54 27459 qwertyuiop 87 20329 trustno1
22 48551 monkey 55 27337 purple 88 20192 samsung
23 47852 sunshine 56 27321 andrea 89 20094 abcd1234
24 47325 aaaaaa 57 26987 thomas 90 20030 dreamweaver
25 45067 666666 58 26340 joshua 91 19950 abcdef
26 44412 daniel 59 25745 andrew 92 19811 102030
27 42761 michael 60 25636 welcome 93 19374 11111111
28 40643 password1 61 25596 secret 94 19017 123654
29 39260 123321 62 25250 whatever 95 18965 123123123
30 38144 jessica 63 24564 7777777 96 18022 abc
31 36577 shadow 64 24221 1q2w3e4r 97 17981 matrix
32 36170 letmein 65 24103 maggie 98 17166 1q2w3e
33 35385 dragon 66 24049 baseball 99 17056 test
100 16600 asdfghj

< Rant >

Thank you Adobe! 
Having 130 million accounts leaked online was already pretty bad, but thanks to some incredible stupidity, or disregard to your customers, you've chosen to use the same symmetric key and one bad choice after another:
1) All identical passwords have the same Key
2) Adobe left the hint in *clear*
3) Then some people just give out their passwords, flat-out, in the "Hint" field. 

A Hint is something that should somewhat subtle, alas, this is not understood by everyone.

Anyone, with two neurons connected can now collect millions of passwords with the corresponding email address. Heeeyaaaa!  Spammers and criminals are thanking you! 

Please allow me a small smörgåsbord of examples, with some of them waiting to receive a Darwin Award. 

[edited]|-6KJbvp1JGKY=-|-Color Starts with P|--
- humm....  pellow? plue? preen? pose?  Though one...  purple maybe?

Now that we have a serious hint that "6KJbvp1JGKY=" equals purple, all you have to do is to confirm it: Just read the hints , they are in *clear*.

[edited]|-6KJbvp1JGKY=-|-What is the color of plums?|--
[edited]|-6KJbvp1JGKY=-|-colour purple|--
[edited]|-6KJbvp1JGKY=-|-a color almost the same as violet|--
[edited]|-6KJbvp1JGKY=-|-p u r p l e ( NO SPACE )|--

Then you have little doubt left "6KJbvp1JGKY=" is for "purple"

If you Grep the file for "6KJbvp1JGKY="  anyone can quickly count how many times it appears: 16,092 times. 
In 30 seconds, you've discovered 16,000 accounts (passwords and emails)
The major issue with leaving the hints in clear is a house of cards effect: Not only it affects directly multiple accounts (One user will reveal the password of many),  but also can branch out far and wide: A house of cards AND a snowball effect, making it a perfect storm.
Someone may have used an unguessable hint, but it will be revealed anyway by the ECB encryption: Same key = Same password
  [edited]|-6KJbvp1JGKY=-|-myspace password|--
 Even if  "[edited]" did not reveal his password, "[edited]" did it for him, and for 2 different accounts. you now have his Adobe account and his Myspace account too.

Having your Myspace or FB account hacked is not funny, but hey, you'll survive. Just tell your mom that's it's not you drunk-naked on the picture. Mention to your boss too that you never posted that his wife is an ugly fat cow.

Where it may hurt a bit more is when you leave a hint such as "Same as Amazon" You may have just given someone access to your Amazon account. Is there a Credit Card number associated with it?  

But hey, nobody is stupid enough to leave a hint such as this, right? 

[edited]=-|-same as amazon|--
[edited]=-|-same as amazon|--
[edited]=-|-same as amazon|--
[edited]=-|-same as amazon pass|--
[edited]=-|-same as computer, same as amazon account|--
[edited]=-|-amazon account password is the same|--

And that goes on for hundreds of them....

So thanks a lot! Lemme order few things on Amazon... I always wanted a good GPU or two ( 2880 CUDA cores :) Coupled with JTR or Hashcat, It's going to be fun ... few million hash per second...
Plus, thanks to Adobe, you're paying ...

All you have to do is to sort the file by encryption key, and read a bit. Within minutes you'll have 1000's of accounts and within 2 hours, with a little grep, you'll get 1,341,000 accounts & passwords without a sweat. 

Knowing that 45-50% of people re-use their password on other sites, one could imagine the tally: 625,000 reusable passwords

So why Adobe, a company with a lot of resources, did such a bad job at protecting your account?  
The answer resides in the fact that it's cheaper and faster to have a lawyer releasing a carefully crafted PR statement rather than spending some money (and time) protecting your account. 

< Rant/ >

So, why is it bad? and what can YOU do to protect, not only your account, but also your bank account?  If you've read the PR release from Adobe, you'll have noticed that they *think* that no credit cards numbers were accessed in *clear*

The real scary part is that about 50% of the people re-use the same passwords again and again: A quick grep over "always" "identical" "same" and "usual" returns over 1 million hits. 
Then, sifting trough the hints, you find the scary ones:   "same email pass" "same as student loan" "same as email" "same Amazon"

And then comes the King of the Kings:  "same as bank" and "same as social". 
Ditto, hundreds of them! They are begging to be Pwned or financially raped.

So, dear Uber-Moron, thanks a lot for telling *in clear* where someone should hit you. 

Being able to access your email is already pretty scary:  Forget Pwning your Facebook account, Accessing your emails and looking for bank or loan info, etc. Then kicking you of your own email account and requesting a password change for your bank....

But you think that been owned and pwned that bad cannot happen to you?  Nope, Just take a look at Gawker, with his CEO using "24862486" as his password or this other CEO, of an Internet security company, mind you, getting so Pwned that he could not sit for weeks. 

No comments:

Post a Comment