Popular Usernames and Passwords
Graphical representation.
Graphical representation.
chris • September 15, 2010 1:02 PM
vic victor victoria viktor
Briatic • September 15, 2010 1:09 PM
interesting to see that “fred” does not appear
Joel Odom • September 15, 2010 1:11 PM
My favorite password there is “changeme.”
jeff • September 15, 2010 1:13 PM
12345 only applies to luggage. What’s it doing here?
HJohn • September 15, 2010 1:15 PM
Yes! “HJohn” isn’t on either list! I’m secure!
Aaron • September 15, 2010 1:17 PM
Just to clarify – these are popular usernames and passwords used by SSH scanner/brute forcers. This doesn’t necessarily correlate to popular account credentials actually in use in the wild.
Carlo Graziani • September 15, 2010 1:19 PM
Well, that certainly explains all those ssh connection attempts in my logs.
Where are they getting their data from?
Merijn • September 15, 2010 1:27 PM
A very recent XKCD comic seems quite timely (possibly not a coincidence)
charlie • September 15, 2010 1:28 PM
Is there a name for the moving one letter to the right; i.e. my charlie would become “vjst;or”? is that is the dictionaries?
HJohn • September 15, 2010 1:41 PM
@charlie: “Is there a name for the moving one letter to the right; i.e. my charlie would become “vjst;or”? is that is the dictionaries?”
Not that I’m aware of. But on the flip side, unless the root word has a p, l, or m in it, it would just be an alphabetic password that is pretty vulnerable to a limited character brute force attack.
then again, it wouldn’t be too hard to program into a cracker.
Vsm upi trsf yjod?
Merijn • September 15, 2010 1:43 PM
charlie: Well, I would guess that something like John the Ripper would first blaze through all these combinations in milliseconds, then go through it’s entire dictionary and then proceeds with doing simple transformation on such dictionary like p4ssw0rding or p455w0rding, but also knowing the habit of some people to offset by one the entire keyboard.
I consider switching to keepass with generated long passwords and protecting my keepass store with a long passphrase plus keyfile.
Merijn • September 15, 2010 1:47 PM
@HJohn: urd o vsn 🙂
GCU Prosthetic Conscience • September 15, 2010 1:52 PM
I’m shocked, /shocked/ to see that “swordfish” is not on the list of most popular passwords.
Anonymous 67223 • September 15, 2010 1:54 PM
Reminds me of this:
http://farm5.static.flickr.com/4007/4458065285_574ceac12d_b.jpg
HJohn • September 15, 2010 1:55 PM
Speaking of passwords and their alternatives…
I remember posts about how car alarms increased assaults and car jackings since people because an easier target than the car.
Is this a risk with biometrics, that the person, through force or threats or blackmail, may become an easier target than passwords / PINs / cards, especially when money is involved?
Davi Ottenheimer • September 15, 2010 2:08 PM
“popular usernames and passwords used by SSH scanner/brute forcers”
reminds me of the popular baby name lists. will they converge? how cool if kids were soon named root or shell. hey postfix!
Danno Ferrin • September 15, 2010 2:09 PM
I don’t think the data set is very broad. Why no scott/tiger? That should be way up there.
peri • September 15, 2010 2:11 PM
123456 looks like the most popular password?!
Drop the 6 or add a 7 and your password is markedly less frequent, why?
If you look at the 8 and the 4 then it looks like people really like to end 123… passwords with even numbers!
One should remember that the numbers are cheating because they are “upper case” and the letters are all lower case.
GSE • September 15, 2010 2:30 PM
@charlie:
Probably not yet, but I suspect as the practice becomes more widespread password cracking databases will adapt.
There are many places that suggest you build a memorable password by basing it on a song lyric, e.g. the chorus of “Sweet Home Alabama” could be turned into shaWT$A5b. This is better than a dictionary word, but one of the guys at the “Crack me if you can” contest at DEFCON (details at http://contest.korelogic.com/ ) mentioned that they’ve started using dictionaries that account for this, and gotten almost as good results as with normal dictionaries on normal dictionary-based passwords. I’m sure that as the shifted-typing method becomes more prevalent it too will be added to password cracking dictionaries.
These sorts of obfuscation-while-still-being-memorable techniques do ultimately increase the amount of work password crackers have to do, but at the same time computers are getting faster as well. There’s a kind of cat-and-mouse element to this, but remember that password dictionaries are not terribly useful if you have to try them live; if the system is designed properly you get blocked or locked out after a few dozen attempts. The real danger of password cracking and dictionaries is when you have the hashes; e.g. pen-testing company networks.
Ross • September 15, 2010 2:45 PM
@Hjohn: “Is this a risk with biometrics, that the person, through force or threats or blackmail, may become an easier target than passwords / PINs / cards, especially when money is involved? ”
Only if you’re targeting one specific computer/person. If you want to scan millions of computer addresses quickly and automatically looking for an easy weakness this works. Nobody (usually) has access to provide a physical threat to millions of people at once.
@peri: “Drop the 6 or add a 7 and your password is markedly less frequent, why?”
Because a lot of places require a 6-digit minimum on the password, and a lot of people like to do the bare minimum.
HJohn • September 15, 2010 2:55 PM
@Ross: “Only if you’re targeting one specific computer/person. If you want to scan millions of computer addresses quickly and automatically looking for an easy weakness this works. Nobody (usually) has access to provide a physical threat to millions of people at once.”
I agree with that from a wide-scale perspective. I was thinking more along the lines of, insofar as individuals are concerned, instead of stealing a card, make them clear out their account at an ATM while you point a gun at them or their child. Sort of like how car thiefs can’t steal every car, but they can stab someone after they disarm the alarm.
Of course, if we want to get morbid, one could cut off someone’s hand to use their fingerprints (although some readers make sure it is a living hand).
Unix Ronin • September 15, 2010 3:19 PM
@HJohn: The other side of that coin is that car alarms quickly became largely ineffective, because they tend to generate such a high rate of false alarms that people quickly learned to ignore them as just one more source of noise pollution.
@peri: I’m guessing the “like to end with even numbers” is a simple artifact of six or eight character minimum password lengths.
Peter William Lount • September 15, 2010 3:21 PM
Password Reuse: http://xkcd.com/792/
EOT • September 15, 2010 3:23 PM
oprisor1975 ?
phili • September 15, 2010 4:09 PM
We may be too stupid to survive as species for much longer.
jrr • September 15, 2010 4:28 PM
@jeff: 12345 applies to luggage AND to planetary atmosphere shields.
Clive Robinson • September 15, 2010 4:38 PM
@ HJohn,
Speaking of biometrics…
One of the things that has puzzled me for a couple of decades is “duress systems” not migrating into computer security systems.
An early example would have been the British trench code book from WWI which had a code written clearly across the front to be used if the code book was lost or assumed to be lost. The code word was “DAM DAM DAM”.
From this we developed in the second world war ciphers duress signals such as simple spelling mistakes (swapping a&e’s in say the fith word etc).
In the physical world we have mechanical locks which have two switches in them. One is the “I’m OK” switch the other is “I’m under duress” switch which activates the “silent alarm”. If neither switch is activated then opening the lock causes the ordinary alarm to activate.
Now these simple duress alarm ideas do not (as far as I’m aware) make it into everyday password or computer security systems which if you think about it is odd…
If the duress password is weaker than the ok password then a dictionary attack will trip the duress password before it gets to the real password.
But the main point is “how do you implement a reliable duress alarm in a pure Biometric system”…
The simple answer is it is actually difficult to do in a reliable way without a long term observer realising that there is one there (ie the manager always uses his right middle finger in the morning but tries to use another finger with a gun at his head). So we tend to have two factor systems like adding a pin password via a numeric keypad etc.
Just about every way I look at biometric systems they fail to even get close when compared to more conventional systems which is why I’ve always regarded them as at best a “Gimmicky James Bond style toy” (yes harsh judgment perhaps but when you then consider price…).
Gabe • September 15, 2010 5:56 PM
1, 2, 3, 4, 5? That’s amazing! I’ve got the same combination on my luggage.
jammit • September 15, 2010 7:11 PM
Whew! No jammit on the list. I’m safe.
Cornerstone • September 15, 2010 8:51 PM
It’s kind of depressing that 123456 and password are the biggest entries.
@aaron,
“Just to clarify – these are popular usernames and passwords used by SSH scanner/brute forcers. This doesn’t necessarily correlate to popular account credentials actually in use in the wild.”
I didn’t see any info on the page about how they collected the passwords. It would be meaningless if they just scanned their own test systems but if they scanned the internet in general then the fact they counted a password means they gained access using it, and hence that it is being used in the wild.
Given the amount of media attention nowadays it’s hard to fathom that people actually use these passwords in real life.
Cornerstone • September 15, 2010 9:10 PM
Actually, I take that back. This image appears to be based on the results obtained on this parent page,
http://www.dragonresearchgroup.org/insight/
Which implies all they’ve done is record what passwords “hackers” are attempting to break in with. Doesn’t that make this a useless piece of net trivia?
Incidentally if you look at the list of sources it’s interesting what a large portion originate in China. One wonders if they know something we don’t or if they’re just behind the times and don’t realize that admins no longer use such silly passwords.
Champs • September 15, 2010 10:47 PM
There are many builtin accounts, but the passwords all seem based on the QWERTY layout or the English language.
There’s most certainly more security through the obscurity of systems in Russia, China, the Middle East, et al… 😉
Particular Random Guy • September 16, 2010 2:39 AM
Oh, I remeber those time when the post popular password (10% of all users in our system) was “marvin”.
yt • September 16, 2010 3:34 AM
@GCU Prosthetic Conscience: it’s always swordfish. 😉
My personal favorite way of constructing passwords is to take the first letter of each word in a phrase (for example, song lyrics), capitalize some, and throw in some numbers and punctuation. It comes out looking like a fairly random group of characters, but it’s still easy to remember.
Tim • September 16, 2010 6:46 AM
These passwords look very much like they emanate from a technical set of users. Non-techy users tend to have a quite differing bunch of favourites featuring peoples names and sports clubs, as well as “monkey” for some reason I’ve never fathomed.
B. Real • September 16, 2010 8:18 AM
1 – 2 – 3 – 4 – 5? That’s amazing! I’ve got the same combination on my planetary atmosphere shield!
Leo • September 16, 2010 8:26 AM
@charlie: Moving one letter to the right is a variety of the cesarean cypher, as is rot13.
Mike • September 16, 2010 10:10 AM
you mean a simple script like
to encode
echo “charlie” | tr “abcdefghijklmnopqrstuvwxyz” “snvfrghjokl;,mp[wtdyibecux”
decode
echo “vjst;or” | tr “snvfrghjokl;,mp[wtdyibecux” “abcdefghijklmnopqrstuvwxyz”
secured • September 16, 2010 11:07 AM
Great my password of ********** didn’t make the list.
David Thornley • September 16, 2010 11:07 AM
@Clive: The problem with duress systems is that people tend not to worry about reacting to the duress signal. In WWII, for example, British agents in the Netherlands were supposed to make specific errors when enciphering their reports, to signal that they weren’t under duress. When the Germans captured them, they quite properly left the errors out, and were sometimes then chided from Britain for leaving out the authentication code.
With passwords, any password that’s dissimilar from the real one can be used as a duress password. Somebody trying “password” on my account when the password is really “123456” is very likely to be attempting a breakin (although “123455” might just be a typing mistake).
However, thank you for adding another argument against biometrics that I had previously not considered.
Stephen • September 16, 2010 3:11 PM
@Leo:
I think that charlie means that you simply shift your hands on the keyboard one space right (q becomes w, for example). It’s a substitution cipher based on a physical object, so you don’t need to deal with remembering a chart or alphabetical order or anything but you produce convincingly munged looking passwords.
Victor Tango • September 16, 2010 3:35 PM
@charlie,Stephen: “Shifty Passwords” a la http://blog.commandlinekungfu.com/2010/04/episode-92-shifty-passwords.html.
I am in the middle of performing a password audit and the results in the graphical representation are rather telling of default passwords, but not in actual use. Far more often are password patterns found in derivations of the seasons, months, and company names, at least from my findings.
Ron007 • September 16, 2010 7:36 PM
Here are a couple of similar links:
http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time
http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php – 250 Most Common Passwords taken from 3 web sites.
http://lastbit.com/pswcalc.asp – Password Brute Force Attack Calculator
http://www.net-security.org/secworld.php?id=6616 – Cracking one billion passwords per second with NVIDIA video cards
ego • September 18, 2010 2:47 AM
Bitte lest die Bücher von Claude Shannon , dann könnt ihr die Entropie eurer Passwörter berechnen.
Entscheidend ist der Erwartungswert.
Und der Erwartungswert ist immer subjektiv.
irishrover • September 20, 2010 9:31 AM
Dont forget God. System Operators love to use God, its that whole male ego thing.
-Hackers quote(may not be true)
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
moo • September 15, 2010 12:54 PM
Awesome.