maurograziani.org
Music Art Technology & other stories

banner
menubar
Home
Music
Texts
Handouts

Posted on 2015 by MG

Password 123456

Recently, SplashData, a security organization, published a list of the most used passwords in 2014. This ranking is compiled by analyzing files published following massive hacking attacks involving large organizations with millions of users.

Here are the top 25 passwords, which, according to SplashData, alone make up 2.2% of all passwords, along with a cloud created by Mark Burnett that graphically displays the frequency of the top 500 passwords:

Rank Password Change from 2013
1 123456 No Change
2 password No Change
3 12345 Up 17
4 12345678 Down 1
5 qwerty Down 1
6 123456789 No Change
7 1234 Up 9
8 baseball New
9 dragon New
10 football New
11 1234567 Down 4
12 monkey Up 5
13 letmein Up 1
14 abc123 Down 9
15 111111 Down 8
16 mustang New
17 access New
18 shadow Unchanged
19 master New
20 michael New
21 superman New
22 696969 New
23 123123 Down 12
24 batman New
25 trustno1 Down 1
pwcloud 2014

It's interesting to note how users persist in harming themselves: most passwords continue to be those that have been abused for years, with the infamous "123456" and "password" in the top two spots. Of the 25, only 11 are new compared to the previous year and correspond to the names of sports stars, celebrities, or superheroes (Michael is Jordan).

Also interesting is the oxymoron "trustno1" (don't trust anyone) in 25th place (it's also Fox Mulder's password in X-Files).

Note that, according to a 2011 study by Mark Burnett, 30% of users have passwords in the top 10,000 in terms of frequency of use. So, statistically, if you persist with an account until you make 10,000 attempts, 1 in 3.3 attempts is successful. Ten thousand attempts seems like a lot, but, obviously, they're not done manually, but via software, with automatic programs that connect via proxy, changing the IP each time.

To give you an idea of how things really are, let's take this blog (the very one you're reading), which isn't even that famous. From 1/11/2014 to today (21/01/2015), I've logged in about once a day, or roughly 80 times. During the same period, login attempts, all fortunately unsuccessful, were 61,777 (sixty-one thousand, seven hundred and seventy-seven), or about 770 per day, 32 per hour, or an average of 1 every 2 minutes.

This way, 10,000 attempts can be made in about 13 days. But the intelligent cracker doesn't do this. Typically, they start by making a thousand logins very quickly (about 4-5 per second), attempting the 1,000 most common passwords in about 4 minutes. If this doesn't work, it means the administrator isn't a total idiot. The site's priority drops, and the frequency of attempts decreases, becoming more sporadic as the user is forced to try increasingly less common passwords, until they reach a few attempts every hour (for example, there's one guy who's almost at the end of his tether and only makes 5 attempts every 4 hours). Of course, everything is managed by software, and the cracker only needs to worry about supplying the program with the URLs of sites to try.

Have fun 😛

Back