This list was compiled out of multiple passwords leaks, hacks and Social Engineering traps.
It's made for you to realize the importance of a good & strong password.
Please read the Do's and Don't, it may save you from misery.
The full list (updated constantly) is available HERE!
Last count ~ 1,500,000,000
The following is compilation of real passwords lists composed of: (Name, Count)
Rockyou List 32,603,389 BlackKnights 5,088,332
Hash Hack 546,840 PhPbb List 184,389
Gawker Hack 82,600 (And counting .....~500,000 mini expected)
Tuscl 38,820 MySpace Phished 37,144
Hotmail Hack 21,652 Faithwriters hack 8,347
Angelfire 8,087 Facebook Phished 6,540
Gawker Release 2,651 (c) Gnosis
Common pswd used 2,445 Worst 500 500
Most Used 500 500 (c) Mark Burnett
Twitter Banned 370 Gawker Most Used 250 (out of 400,000) (c) Duo Security
Facebook Stolen ~150
Total Raw ~ 38,000,000 Passwords
Total Duplicates Removed
Sorted by Occurrences: 19,584,249 Unique Passwords
Fun Facts:
- No Passwords in the top 1000 has a Sign! (!@#$%......etc)
- In the Raw List the following strings were found # times: "fuck" 74,326 : "love" 13,947 : "123" 1,265,285: "1234" 691,434 : "monkey" 49,296, etc etc ...
- It would not take long to create variations, adding millions to a crack list...
- Most of the top 2000 are derivatives of "words"
The first use of a capitalized letter is at position #800, in "PASSWORD" (You can't see me, but I am crying...)
Twitter @GinaTrapani about the Gawker hack |
- If you believe you are safe using "m0nk3y" instead of "monkey", you'll be in for a surprise. It would take an average of 15 seconds to crack it. Ditto for m0ndays, p@ssw0rd, etc ...
- It would take me a maximum of 6.5 minutes to run the first 500,000 passwords on Aircrack-ng, 3.7 minutes on JTR and 50 seconds on Aircrack-ng CUDA
- Today, you can rent on Amazon EC2 for $2.10 an hour enough computing power to run ~50,000 pwsd/sec, or 180 million pwsd per hour.
- A medium sized botnet can churn 36 billion keys per hour. Free of charge.
You have been warned! Choose wisely ....
Top 1000 Passwords of All Times
Top 2000 Passwords of All Times
All Times, That is until the next big one..
Top 10
Rank Count Password
1: 290834 123456
2: 79096 12345
3: 76822 123456789
4: 59494 password
5: 49977 iloveyou
6: 33314 princess
7: 21748 1234567
8: 20902 rockyou
9: 20575 12345678
10: 16662 abc123
Do's and Don'ts
Don't use a Password! Use a Passphrase!
When asked to use a password, you have a tendency to use a "word". A single one!
Instead, use a sentence or a phrase: It's easier to remember, easier to add Caps and spaces, and will increase the length of it by a factor of 2 or 3.
Do Use Your Keyboard. The Entire Keyboard!
Just using numbers is the worst, adding letters is better, adding caps and lower caps is good. Now add signs and you'll have a very good Passphrase. If you to give me a hard time at cracking your
A Mnemonically Algo What?
- Yes, I know, just the name....
Let's rephrase that as a "Easy to remember, complex Passphrase that changes..."
- Let's pretend that your old password is "ilovebeef" it's weak, and dead easy to crack.
"ilovebeef" is all lower cap, made of easy words.
Change that to: "I Love Beef" You've added caps and spaces, and increased the length by 2ch without any pain remembering it. As a hacker, I have now to run a much, much longer dictionary. Not good for me, but good for you!
Still, "I Love Beef" is still "guessable" (but not found in the 38M passwords of the list)
Now, you know that "I" is in fact "you"
"You" have probably plenty of personal numbers known only by you. i.e the last 4 digit of a number.
So, take that number, i.e "7845" and press the Shift Key of your keyboard. you'll get "&*$%"
Fyi, hack speaking, "&*$% Love Beef" start to be a tough one to crack.
Now, imagine that you go "7845&*$% Love Beef" you still knows what it means, it's easy to remember, and generates 18 characters long.
The Algo Part
On the Top of the passphrase, you can add a prefix or suffix based on the website, It's a well know trick, but it adds few characters and increases by few fold the difficulty.
Example, for Gmail, you can add a "+gmail" or ~mail to your passphrase. It allows you to change the passphrase each time for each website.
So, coming from "ilovebeef" you can reach, without any remembering issue a "7845&*$% Love Beef~mail" or "7845&*$% Love Beef~work"
Such password in practically uncrackable, and even a very very patient hacker will never have the time to brute force such.
You don't have to use a 25 ch, 15 is long enough: Consider that 15ch with the entire Keyboard (printable characters) generates 15^127 possibilities, or in number: 1,253,437,565,941,480,000,000,000,000,000,000,000
Don't Trust Me!
I mean, don't trust yourself too much. Or don't trust them too much. Just in case of a smart phishing website, or a Gawker type stupid security, even the most secure passwords could be compromised. One of the best solution is to use "disposable email addresses"
Keep a good one for important stuff, and use disposables for the rest. Never link or use your "good" email address for things such as commenting on a website, Facebook, Twitter or your multiple groupon, yelp, linkedin, Skype, MSN, etc.
If a disposable email address is compromised, just kill it and replace with another one.
I can't remember them!
Ok Then, Use the MasterPassword on Firefox (free), or even better, use "1Password" (fee)
You also can generate your own true random Passphrase with GRC.com
(up to 63 True Random Printable ASCII). Virtually uncrackable as long as you stay over 12ch in length.
Want to know more? ☟