Weak Passwords

Recent studies show that easily guessed passwords are still in frequent use and that these passwords are not as obvious as they might appear.

NordPass data from 2019 to 2022 unsurprisingly reveals the top 2 passwords as ‘password’ and ‘123456’.  A combined instance of over 6 million records from 2022. This is from a list comprising a ‘4.3TB database extracted from various publicly available sources, including those on the dark web’.  The data has been categorised by country of origin and purpose (for example eCommerce or social media).  Obviously the report does not detail exactly where these passwords have been used.  An unknown proportion could be linked to throwaway accounts that might be created to access some service such as a shopping cart that is never checked out or a one-time download but will never be visited again.  Any such practice should never be combined with anything but equally throwaway or invalid emails or account names as a valid working email has real value to the hacker or spammer.

The 2022 SpecOps weak password report  identifies the worrying trend in the exploitation of unusual but still frequently used passwords.  There is a trade in lists of known passwords and the hacker will use these as a dictionary attack on user accounts.  One such list, RockYou2021 contained roughly 8.5 x 109 records.  Going through such a list is still more efficient than brute force guessing a password.  For example an alphanumeric password of length 6 would choose 6 elements from 52 (capital and lowercase) letters and 10 numbers (0-9).  That would be 62^6 or 56,800,235,584 combinations (roughly 5.6 x 1010); nearly 10 times as slow as the dictionary.  Adding special characters and making the required length longer further reduces the chance of a brute force attack succeeding.  Indeed if the hacker assumes that a password must contain special characters or a mix of capital and lower case then their word list can be cut back.  There is no gain here by including ‘password’ but ‘Pa55word’ has at least some chance of working.  Another ‘trick’ linked to password lists is not to attack a single account with a long list of possible words but instead to target a great many accounts with a small number of likely passwords and hence avoid lockouts or the possibility of the attacks being detected and blocked.

The uncommon but often used passwords fall into 2 categories.  Those related to some popular theme and those that appear random but are somehow linked to keyboard characters that are easy to access.  Seasons of the year, popular sports teams, films and music artists were all commonly found on breached password lists. For example the password ‘Cincinnati Reds’ appeared almost 150,000 times.  This sort of information would be more use to the hacker if they knew where the related account was based.  Other popular choices included figures from cultures that might be seen as connected to someone with an interest in computers.  These included Star Wars, Marvel and DC themes.

Of the less predictable passwords the following are the top 10 used in real attacks on passwords of 12 characters or more:

  • ^_^$$wanniMaBI:: 1433 vl
  • almalinux8svm
  • dbname=template0
  • shabixuege!@#
  • P@$$W0rd0123
  • P@ssw0rd5tgb
  • adminbigdata
  • Pa$$w0rdp!@#
  • adm1nistrator1
  • administrator!@#$

Any user should avoid using the same password or pattern of password amongst many accounts as a breach of a ‘relatively harmless’ account may yield a user name password combination key to valuable data.  Tracking the appearance of user name and password combinations will also give the hacker insights into the online presence of their user that might be used for more sophisticated attacks.  It could even be useful if the password itself is hashed because if the same hash algorithm has been used then the activity of that user is still traceable.  A password manager will reduce the need of many users to remember all these combinations although these will be less useful in situations such as the administration of IoT devices.

More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus