The Master Passwords 2014 Wordlist is composed of about 598,712,000 real passwords.
The details are explained below in the < Rant > part.
If anyone has news about:
1) WPT Amateur Poker League
2) eBay
Please let me know, we could find a mutually beneficial exchange of information.
I have bad news for you:
In the past 20 years, computers have evolved incredibly fast. Alas, our brains did not and people are still really bad at picking passwords. As we've been stuck with the same brain for a while, we tend to think alike and people keep on picking the same (bad) passwords, or patterns over and over again. The bad news? a quick statistical analysis will provide you (or me) (or the bad guy) with enough ammo to rip your
This list differs slightly from the previous with newcomers to the top 100, mainly thanks to Adobe "House-Of-Cards" Protocol: A single user can reveal the password of
Take a look below and you'll be surprised.
The full Master Passwords list is available here
Passwords in italic are patterns based
| Rank | Count | Password | Rank | Count | Password | Rank | Count | Password |
| 1 | 1343751 | 123456 | 34 | 34986 | charlie | 67 | 23946 | internet |
| 2 | 523769 | 123456789 | 35 | 34969 | computer | 68 | 23832 | asdfasdf |
| 3 | 411288 | password | 36 | 34771 | asdfgh | 69 | 23713 | zxcvbnm |
| 4 | 223699 | 12345678 | 37 | 34711 | nicole | 70 | 23508 | buster |
| 5 | 211665 | adobe123 | 38 | 34157 | michelle | 71 | 23497 | 1qaz2wsx |
| 6 | 146405 | 1234567 | 39 | 34108 | superman | 72 | 23353 | asdfghjkl |
| 7 | 145684 | qwerty | 40 | 33875 | tigger | 73 | 23294 | 555555 |
| 8 | 127770 | 111111 | 41 | 33376 | chocolate | 74 | 23026 | 753951 |
| 9 | 123196 | 12345 | 42 | 32941 | 121212 | 75 | 22795 | summer |
| 10 | 99254 | iloveyou | 43 | 32684 | soccer | 76 | 22786 | 123qwe |
| 11 | 92613 | 123123 | 44 | 31825 | fuckyou | 77 | 22636 | alexander |
| 12 | 89501 | 000000 | 45 | 30539 | football | 78 | 22594 | rockyou |
| 13 | 89196 | abc123 | 46 | 29749 | jordan | 79 | 22474 | killer |
| 14 | 85660 | 1234567890 | 47 | 29309 | master | 80 | 22198 | pepper |
| 15 | 83473 | photoshop | 48 | 28928 | jennifer | 81 | 22109 | fdsa |
| 16 | 63929 | princess | 49 | 28842 | 987654321 | 82 | 21919 | asdasd |
| 17 | 63158 | 1234 | 50 | 28760 | 112233 | 83 | 21470 | qazwsx |
| 18 | 57964 | 654321 | 51 | 28538 | liverpool | 84 | 21135 | 222222 |
| 19 | 56758 | adobe1 | 52 | 28516 | hannah | 85 | 20920 | ginger |
| 20 | 56680 | macromedia | 53 | 27841 | adobeadobe | 86 | 20470 | freedom |
| 21 | 49519 | azerty | 54 | 27459 | qwertyuiop | 87 | 20329 | trustno1 |
| 22 | 48551 | monkey | 55 | 27337 | purple | 88 | 20192 | samsung |
| 23 | 47852 | sunshine | 56 | 27321 | andrea | 89 | 20094 | abcd1234 |
| 24 | 47325 | aaaaaa | 57 | 26987 | thomas | 90 | 20030 | dreamweaver |
| 25 | 45067 | 666666 | 58 | 26340 | joshua | 91 | 19950 | abcdef |
| 26 | 44412 | daniel | 59 | 25745 | andrew | 92 | 19811 | 102030 |
| 27 | 42761 | michael | 60 | 25636 | welcome | 93 | 19374 | 11111111 |
| 28 | 40643 | password1 | 61 | 25596 | secret | 94 | 19017 | 123654 |
| 29 | 39260 | 123321 | 62 | 25250 | whatever | 95 | 18965 | 123123123 |
| 30 | 38144 | jessica | 63 | 24564 | 7777777 | 96 | 18022 | abc |
| 31 | 36577 | shadow | 64 | 24221 | 1q2w3e4r | 97 | 17981 | matrix |
| 32 | 36170 | letmein | 65 | 24103 | maggie | 98 | 17166 | 1q2w3e |
| 33 | 35385 | dragon | 66 | 24049 | baseball | 99 | 17056 | test |
| 100 | 16600 | asdfghj |
< Rant >
Thank you Adobe!
Having 130 million accounts leaked online was already pretty bad, but thanks to some incredible stupidity, or disregard to your customers, you've chosen to use the same symmetric key and one bad choice after another:
1) All identical passwords have the same Key.
2) Adobe left the hint in *clear*
3) Then some people just give out their passwords, flat-out, in the "Hint" field.
A Hint is something that should somewhat subtle, alas, this is not understood by everyone.
Anyone, with two neurons connected can now collect millions of passwords with the corresponding email address. Heeeyaaaa! Spammers and criminals are thanking you!
Please allow me a small smörgåsbord of examples, with some of them waiting to receive a Darwin Award.
[edited]@yahoo.com-|-6KJbvp1JGKY=-|-Color Starts with P|--
- humm.... pellow? plue? preen? pose? Though one... purple maybe?
Now that we have a serious hint that "6KJbvp1JGKY=" equals purple, all you have to do is to confirm it: Just read the hints , they are in *clear*.
[edited]@gmail.com-|-6KJbvp1JGKY=-|-What is the color of plums?|--
[edited]@shaw.ca-|-6KJbvp1JGKY=-|-colour purple|--
[edited]@hotmail.com-|-6KJbvp1JGKY=-|-a color almost the same as violet|--
[edited]@msn.com-|-6KJbvp1JGKY=-|-p u r p l e ( NO SPACE )|--
Then you have little doubt left "6KJbvp1JGKY=" is for "purple"
If you Grep the file for "6KJbvp1JGKY=" anyone can quickly count how many times it appears: 16,092 times.
In 30 seconds, you've discovered 16,000 accounts (passwords and emails)
The major issue with leaving the hints in clear is a house of cards effect: Not only it affects directly multiple accounts (One user will reveal the password of many), but also can branch out far and wide: A house of cards AND a snowball effect, making it a perfect storm.
Someone may have used an unguessable hint, but it will be revealed anyway by the ECB encryption: Same key = Same password
[edited]@yahoo.com-|-6KJbvp1JGKY=-|-myspace password|--
Even if "[edited]@yahoo.com" did not reveal his password, "[edited]@shaw.ca" did it for him, and for 2 different accounts. you now have his Adobe account and his Myspace account too.
Having your Myspace or FB account hacked is not funny, but hey, you'll survive. Just tell your mom that's it's not you drunk-naked on the picture. Mention to your boss too that you never posted that his wife is an ugly fat cow.
Where it may hurt a bit more is when you leave a hint such as "Same as Amazon" You may have just given someone access to your Amazon account. Is there a Credit Card number associated with it?
But hey, nobody is stupid enough to leave a hint such as this, right?
[edited]=-|-amazonpass|--
[edited]=-|-same as amazon|--
[edited]=-|-same as amazon|--
[edited]=-|-same as amazon|--
[edited]=-|-same as amazon pass|--
[edited]=-|-same as computer, same as amazon account|--
[edited]=-|-amazon account password is the same|--
And that goes on for hundreds of them....
So thanks a lot! Lemme order few things on Amazon... I always wanted a good GPU or two ( 2880 CUDA cores :) Coupled with JTR or Hashcat, It's going to be fun ... few million hash per second...
Plus, thanks to Adobe, you're paying ...
All you have to do is to sort the file by encryption key, and read a bit. Within minutes you'll have 1000's of accounts and within 2 hours, with a little grep, you'll get 1,341,000 accounts & passwords without a sweat.
Knowing that 45-50% of people re-use their password on other sites, one could imagine the tally: 625,000 reusable passwords
So why Adobe, a company with a lot of resources, did such a bad job at protecting your account?
The answer resides in the fact that it's cheaper and faster to have a lawyer releasing a carefully crafted PR statement rather than spending some money (and time) protecting your account.
< Rant/ >
So, why is it bad? and what can YOU do to protect, not only your account, but also your bank account? If you've read the PR release from Adobe, you'll have noticed that they *think* that no credit cards numbers were accessed in *clear*
The real scary part is that about 50% of the people re-use the same passwords again and again: A quick grep over "always" "identical" "same" and "usual" returns over 1 million hits.
Then, sifting trough the hints, you find the scary ones: "same email pass" "same as student loan" "same as email" "same Amazon"
And then comes the King of the Kings: "same as bank" and "same as social".
Ditto, hundreds of them! They are begging to be Pwned or financially raped.
So, dear Uber-Moron, thanks a lot for telling *in clear* where someone should hit you.
Being able to access your email is already pretty scary: Forget Pwning your Facebook account, Accessing your emails and looking for bank or loan info, etc. Then kicking you of your own email account and requesting a password change for your bank....
But you think that been owned and pwned that bad cannot happen to you? Nope, Just take a look at Gawker, with his CEO using "24862486" as his password or this other CEO, of an Internet security company, mind you, getting so Pwned that he could not sit for weeks.
No comments:
Post a Comment