Here's some sad news: the most commonly used password in the world is still "123456"
This depressing statistic comes from a study by Turkish researcher Ata Hakçıl, who analyzed over 742 million passwords revealed in numerous data breaches over the past few years and posted his findings on GitHub Of these passwords, "123456" appears 53 million times, or one in every 138 passwords
Of the 742 million entries, there were only 169 million unique passwords The 1,000 most common passwords accounted for 66% of the total, and passwords found only once accounted for less than 9% of the total
There was a bit of good news: the average password length was 948 characters, meaning that all the nagging to create longer passwords has paid off
By contrast, the median (if not the average) length in the famous 2009 RockYou data breach was about 7 characters (Hakçıl chose not to include the 32 million RockYou entries)
UPDATE: Playing with the RockYou statistics in this report from Imperva, the average length of RockYou passwords was approximately 741 characters
But even so, the bad news far outweighs the good: the most used password in the RockYou database is also "123456" In fact, of the top 20 old RockYou passwords entered between 2005 and 2009, seven are also on Hakçıl's new top 20 list: 123456, 12345, 123456789, iloveyou, 1234567, 12345678, abc 123
Two other words, "Password" and "Qwerty" are in RockYou's Top 20, while "password" and "qwerty" are in Hakçıl's Top 20 (It is unclear why this was the case, but RockYou may have required the inclusion of capital letters at some point)
Only 12% of the passwords surveyed by Haktil included "special" characters, such as punctuation, that are found on a typical QWERTY keyboard but are not letters or numbers The inclusion of such characters can help strengthen passwords against password crackers
In contrast, about 29% of passwords consisted only of letters, with more than 26% of all passwords using only lowercase letters; more than 13% used only numbers; and more than 25% used only "special" letters
As an indication of how people form passwords, more than 34% of mixed letter-number passwords ended with a number (eg, "qwerty123"), while only 45% began with a number
Hakchur found one surprising thing--as many as 763,000 10-character dingy passwords still followed a predictable pattern
"They all begin and end with a capital letter None of them seem to contain keyboard patterns or meaningful words"
The passwords appear to have been generated mechanically, but some of them appear to have been reused, perhaps indicating a flaw in the password generation algorithm
"I have no idea what this could find and what it could mean, but I suspect that some password manager is creating low entropy passwords and using them repeatedly across many users," Hakçıl wrote I welcome and appreciate all ideas on this"
Hakçıl started with about a billion pairs of credentials (passwords and usernames), but had to discard more than 257 million pairs because they were unreadable or clearly test accounts
To reliably limit the scope of data breaches to the security of your account, make sure all passwords are long, strong, and unique
Ideally, however, you want a password that is at least 15 characters long, made up of absolute gibberish, including all four types of characters found on a typical QWERTY computer keyboard
To create and remember such passwords, and to ensure that none of them are repeated, there is no better solution than to use the best password manager available
Here are the 100 most common passwords according to Hakchur's analysis Do not use these passwords for your account
Comments