10000 most common passwords12/7/2023 ![]() Even worse, I kept coming across journalists publishing their own list of ‘the 10 (or 20, or 25) bad passwords’. (It would be a very weak dictionary attack that didn’t try adding a series of digits to strings in its dictionary.)Īfter I wrote some articles and a paper or two about password- and PIN-related issues, I found myself contacted by PR agencies and reporters every time someone came out with a new list, or a database of credentials was stolen and dumped onto Pastebin. Maybe primetime21 fares even better because primetime is technically not quite a dictionary word (though it concatenates two dictionary words and certainly exists as the name of a TV channel), even though its numeric component consists of appended digits. iloveyou! probably gains favor because strength meters like passwords that include punctuation characters. Perhaps ncc1701 fares better according to some meters because it doesn’t include a dictionary word (though it is, of course, the instantly recognizable number of the Starship Enterprise, which is why so many people use it). ![]() All the others considered abc123 weak, even though it consists of a mix of letters and numbers, perhaps because it features two strictly serial sequences (abc and 123). So how do these meters reach their conclusions? Well, one of them considered all five of those passwords ‘good’, so maybe it doesn’t have any negative criteria. Nor was primetime21 or anything close to it. iloveyou! wasn’t included, though iloveyou was. And yes, abc123, trustno1, and ncc1701 could be found there (the list was very trivially obfuscated). At one time, Twitter used a script to check passwords created by its users against a list of strings: if someone tried to set a password that was found on the list, it would not be allowed. That’s not to say that the lists are only used by password crackers. And the fact that trustno1, confirmed by at least one other list to be far more common than ncc1701 , is categorized as medium, suggests that ranking (or appearing at all) on such lists is not one of the categorization criteria applied by the Microsoft meter or, apparently, any of the five tested by Stockley. The number in the first column represents their ranking in the list of 10,000 most common passwords at .Ĭlearly, there isn’t a separate category for ‘Don’t use this password because an awful lot of other people already do so hackers will find it quickly ’. Here are the categories assigned by the checker. I tried the same passwords against the Microsoft checker, which wasn’t one of those tested by Stockley. Obviously, some are better than others and you have to expect some variation in categorization. There are any number of algorithms that might be used to assess the effectiveness of a given string used as a passphrase. Use of character substitutions (such as 0 for ‘o’, or 4 for ‘a’).(To take a simple example, when people append a number to their password which is augmented every time they’re required to change it, that offers no effective barrier to password-cracking software.) The types of character used: alphabetical, numeric, symbols and special characters, and where they’re placed in relation to the other characters.Variety of characters – a very long password consisting of the same repeated character is not resistant to password cracking software.There are a number of characteristics you can use to assess the strength and entropy (randomness or unpredictability) of a password or, preferably, passphrase, such as: Why did they fail so spectacularly? The answer lies in the fact that the harshest categorization is ‘weak’. Well, I won’t disagree: the results are inconsistent between meters and the classifications are misleading, unless you believe that ‘iloveyou!’ or even ‘abc123’ are good passwords. One meter categorized all five as good, another classified two of them as good. Ten were classified as weak by various meters, six as medium, and two as ‘norm’ (normal, presumably).Ī password strength meter that doesn’t reject all five out of hand is not up to the job of measuring password strength. He took five of the 10,000 most common passwords, according to, all of which the cracking software John The Ripper cracked more or less instantly, and then ran them against five plug-in strength meters. However, an article by Mark Stockley for Sophos suggests that a poor meter may be worse than useless. I can’t vouch for how good it is, but a lot of people seem to find it helpful to have some guidance. If you’re not confident of your ability to create a sound password, you might use a password strength meter like Microsoft’s. After all, this issue is not just technological, but psychological and even ergonomic. I’ve spent a depressingly large proportion of the last few years writing about the fact that so few people recognize that they’re using poor password and PIN selection strategies.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |