In December 2009, the RockYou.com website was attacked by hackers. The attack was successful and resulted in the illegal disclosure of a text database containing 32.6 million stolen passwords of the website's users. This major leak of confidential data has allowed us to take a look at how people create their passwords and to do a very simple security audit from the viewpoint of an external observer. To collect and process statistical data, we used Windows Password Recovery tool.
It's hard to find something more complex than "123" among the most popular passwords, so the top 20 is not surprising at all. As you can see, the most popular password ("123456") is far ahead of the pack. Its popularity is amazing even in numbers: 290,000 out of 32 million records. One of our associates suggested that a database where the 10 most popular passwords count more than 1 percent of records should be considered as insecure. In the RockYou.com database, this "insecurity factor" is exceeded 2 times. When analyzing popular passwords, we categorized them by common attributes into several groups:
- Dictionary passwords, that is, words like "password," "monkey," and so on, make one of the most stable groups.
- Digital passwords based on easily memorized numeric combinations, phone numbers, document numbers, birth dates, and more make another group, which is as stable as the previous one, and maybe even more popular.
- Passwords based on names and their derivatives. For example, a user may use the name of himself, his pet, some city, some place, and so on.
- Passwords based on keyboard combinations, such as "abc123," "qwerty," etc.
- Emotional passwords, such as "iloveyou," "hateu," "lovely," "ihatemyboss," or "ILoveJohn."
A password's length is an important factor of its resistance against attacks. You can say the longer the password, the harder it is to break it. But don't forget that this unstable equilibrium can be easily lost if the long password is "successfully" forgotten by the user after a lively party with lots of drinks. Some users put sticky notes with passwords right onto their monitors, but the majority are even less sophisticated and prefer easily remembered passwords consisting of at most 7 or 8 characters.
As you can see on the chart, the most popular passwords are 6, 8, or 7 characters in length. That's more than 65 percent of all passwords. It means that 2 of 3 passwords can be easily brute-forced.
Curiously enough, some users choose obscenely long passwords consisting of more than 20 characters, word combinations, or phrases. Here are some of these wonderful passwords (did you really think that nobody knows what you are typing?):
Hahaithinkilovejessebutthenagainmaybenotcuzheisadiknob
Lets you come back for your Countdown Timer
me plus food equals more sleep each night
tommmmmmmmmmmmmmmmmmmmmmmmmmmm
truongcaodangcongdonghaiphong
icantbelievethisshit.12345
banditbanditbandit1bandit1bandit1banditbandit
11111111111111111111111111111111111111111111
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
FUCKSCHOOLANDALLTHETEACHERSINIT
ilovepalmermyfuturehusband
1delightyourselfinthelord!
Imaprincessbecausemyfatheristheking
iluvanjabisset4evashesmawebaexxx
stuartandchrisrmybestmatesforeva
thisismypasswordyoullnevergetit
click here to => Download Rockyou
thanks for visit mdhacker.net if you want any help then contact us on admin@mdhacker.net
Blogger Comment