Analysis of 32 Million Breached Passwords

An anonymous reader writes "Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine." Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

The Top 10

[goldaryn]

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

By a massive coincidence, these happen to be the passwords for their respective /. userids!

actual list of passwords?

[naz404]

Does anyone have the list of passwords itself?

It would be fun to perform one's own statistical analysis of the list :)
Here's the top 20 most common passwords used according to the report:
Rank Password # of Users
1 123456 290731
2 12345 79078
3 123456789 76790
4 Password 61958
5 iloveyou 51622
6 princess 35231
7 rockyou 22588
8 1234567 21726
9 12345678 20553
10 abc123 17542
11 Nicole 17168
12 Daniel 16409
13 babygirl 16094
14 monkey 15294
15 Jessica 15162
16 Lovely 14950
17 michael 14898
18 Ashley 14329
19 654321 13984
20 Qwerty 13856

Re:Password strength vs. how often you change it

[Rockoon]

My company (over 10,000 employees, not in the computer industry) does the same thing, but the really annoying part..

..it must be EXACTLY 2 letters, followed by EXACTLY 4 digits.

So even allowing for upper case (which I am not sure that it differentiates), the total password space is only 2704000000.

The size of this space can conveniently fit into a 32-bit value, which is probably what they are doing: storing passwords in an integer field.

Did I mention that they pay our IT department $11/hour?

Yeah, all my coworkers do the same thing: use the same 2 letters every time they need to change it, followed by "1111" then "2222" then "3333" and so forth...

Why Is That Interesting?

[Dun+Malg]

Most interesting to me was that in the sample, less than 4% used any non alpha-numerics in their #$#%'ing passwords.

Why is it any surprise that people tend to approach passwords as a pass-WORD? It has to be something they can remember, and remembering a string of characters they can't pronounce is far more difficult than remembering (say) their favorite basketball team and the year they graduated high school.

Re:Password strength vs. Validation Rules

[nickyj]

KeePass is an excellent utility, available for Windows, Linux, and other platforms. It's simple, quick to use, and configured correctly, you will only have to learn one password the one to unlock the encryption file.

Passwords

[Stooshie]

I worked for a company that ran a birth/death/marriage certificate site. People were having problems logging in, so we kept a log of passwords that did not result in a successful login.

We found that one of the most commonly typed passwords that was denied was "case-sensitive".

Needless to say, we soon took off the "Your password is case-sensitive" text from the login page.

Re:Password strength vs. how often you change it

[clodney]

It may narrow the nominal keyspace, but it almost certainly increases the average keyspace that needs to be searched. Without the complexity requirements most people will use a dictionary word or something like that. And the company wants to keep all the accounts secure, so it has to care about the average password.

And think of it this way - in a keyspace that requires 10 numeric digits, what percentage of the total keyspace is consumed by anything containing less than 10 digits? seems to me you have only given up 10% of the space, and an even smaller percentage if you consider the full printable range of characters instead of just numerics.