123456 – The Password

A Turkish student studying at a university in Cyprus, decided to download and
analyze more than one billion leaked logon credentials. Ata Hakçıl aka FlameOfIgnis posted his findings on GitHub.

The biggest take away is that 123456 was the most common password and covers an estimated 0.722% of all the passwords or 7 million passwords out of one billion.

From Ata Hakçıl article;

Cool Stats

  • From lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts.
  • 1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames.
  • Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion)
  • Most common 1000 passwords cover 6.607% of all the passwords.
  • With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%.
  • Average password length is 9.4822 characters.
  • 12.04% of passwords contain special characters.
  • 28.79% of passwords are letters only.
  • 26.16% of passwords are lowercase only.
  • 13.37% of passwords are numbers only.
  • 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Unique Passwords

  • 8.83% of the passwords are unique – they were only found once.
    • Their average length was 9.7965 characters.
    • Surprisingly, just a fraction of these passwords are meaningless.
    • Only 7.082% of these passwords contain special characters – Rest matches ^[a-zA-Z0-9]$
    • 20.02% of these passwords are letters only, and 15.02% is only lowercase.
      • Average length for lowercase-unique passwords were 9.3694 characters.

Bottom Line

Based on Ata Hakçıl’s research if you want a secure password start the password with a number and include special characters.


Theme by Anders NorenUp ↑