This is a Wordle showing the 80 most common passwords from the cracked Gawker database. There are 2090 passwords containing the word ‘password‘ (132 clever people used ‘passw0rd‘). Next is ‘lifehack‘, appearing 680 times and then ‘qwerty‘ at 663.
I haven’t really explored this a great deal, but I saw many numerical passwords that were clearly birthdates and loads of names and short dictionary words. Basically, everything you’re not supposed to use as a password.
[Check the updates at the bottom of this post for more info]
Do you use a password like these?
I collect some good advice on this blog, but the best single thing you could do to really beef up your own online security is start using LastPass. You can install a plugin for every browser on every platform that gives you access to a well encrypted database of all your passwords, enabling you to use a different one for each site. Now all of your passwords can be long and random and much more secure – LastPass will even generate these for you.
LastPass can do much more, like auto-fill forms, but everything you need is available in the free package.
Edited to link to a more detailed analysis by Duo Security:
As with any password dump, one of the most interesting outcomes is the most popular/common passwords chosen by users. The top 25 most common passwords from our cracking results were:2516 123456 2188 password 1205 12345678 696 qwerty 498 abc123 459 12345 441 monkey 413 111111 385 consumer 376 letmein 351 1234 318 dragon 307 trustno1 303 baseball 302 gizmodo 300 whatever 297 superman 276 1234567 266 sunshine 266 iloveyou 262 fuckyou 256 starwars 255 shadow 241 princess 234 cheese
The vast majority (99.45%) of the cracked passwords were alphanumeric and did not contain any special characters or symbols
(via rief Analysis of the Gawker Password Dump – duosecurity.com)
Most notably, Wordle seems to have missed out on the numeric passwords, particularly ‘123456‘, which beats even ‘password‘.
Edited 14.12.2010 to add some more analysis of the passwords from the Wall Street Journal:
How do Gawker Media users express themselves when no one is watching? While many of their passwords are common phrases like “qwerty,” others appear distinctive to the Gawker community. Where else would “f—you,” “blahblah” and “whatever” rank among the most popular passwords? And why, oh why, is “monkey” in the top 10?
[…] users of Google and Yahoo’s email services are more likely than Microsoft email users to have passwords of eight or more characters. Popular passwords vary, as well: Gmail users are bigger X-Files fans (”trustno1″) and more likely to opt for the slightly clever variant “passw0rd.” Yahoo and Microsoft email users, meanwhile, are much more likely to get sappy with their passwords: “iloveyou.”
(via The Top 50 Gawker Media Passwords – blogs.wsj.com)
I think ‘monkey‘ is just a really popular word that most people think of when they are trying to come up with something random. Check out this very familiar list of passwords from the RockYou hack, exactly one year ago (PDF):
Lesson not learned, it seems.
Also, Duo Security have created a special site so you can check the database yourself to see if you ‘got Gawkered‘: didigetgawkered.com
Post updated with some better figures from Duo Security
I’m afraid to say I recognise one of my passwords on that list. Fortunately it’s not something I’ve used for about 7 years and all my passwords these days are numbers, letters and special characters
Post updated with snazzy bar charts and more numbers…
@irregularshed I used to use a single dictionary word password for non-critical sites, but I’m phasing it out now. Luckily, it’s not a word that seems to be at all common, based on what I’ve seen lately.