Of the 742 million entries, there were only 169 million unique passwords, which gives you an idea of how frequently we use obvious passwords. The most common 1,000 passwords were 6.6% of the total, and less that 9% of the passwords were found only once.
There was a little good news: The average length of the passwords was 9.48 characters, which means that all the nagging about creating longer passwords is paying off.
By contrast, the median (if not mean) length in the famousRockYou data breach(opens in new tab) of 2009 was about 7 characters. (Hakçıl chose not to include the 32 million RockYou entries because they’ve been so widely studied.)
Same old song
But that’s still far outweighed by the bad news. The RockYou database’s most-used password is also “123456.” In fact, of the top 20 old RockYou passwords, entered between 2005 and 2009, seven are also in Hakçıl’s brand-new Top 20 list: 123456, 12345, 123456789, iloveyou, 1234567, 12345678 and abc123.
Two others came close but not quite, with “Password” and “Qwerty” appearing in the RockYou Top 20, but “password” and “qwerty” in Hakçıl’s Top 20. (We’re not sure why that occurred, but RockYou may have required the inclusion of upper-case letters at some point.)
Only 12% of the passwords Hakçıl examined contained “special” characters, such as punctuation marks, that are found on common QWERTY keyboards but are not letters or numbers: ? < , > & ^ and so on. Including such characters goes a long way to beefing up a password’s strength against password crackers.
By contrast, nearly 29% of the passwords were compromised of letters only, and more than 26% of the total were lowercase only. More than 13% consisted of only digits.
In an indication of how people form passwords, more that 34% of passwords that mixed letters and numbers ended with the numbers — e.g. “qwerty123” — but only 4.5% started with the numbers.
Mystery pattern in the data
Hakçıl did find one surprising thing — some 763,000 10-character passwords of gibberish that nevertheless followed a predictable pattern.
“They all start and end with uppercase characters,” Hakçıl wrote. “None of them seem to have a keyboard pattern or meaningful word in them” and “they don’t contain special characters.”
Even though the passwords appeared to be machine-generated, several of them appeared to have been reused, possibly indicating a flaw in a password-generation algorithm.
“I have no idea what this uncovers and what it implies, but I’m suspecting a password manager out there is creating passwords with low entropy, causing repetitions over a lot of users,” Hakçıl wrote. “All the ideas about this are welcome and appreciated.”
Hakçıl started with about 1 billion pairs of credentials (passwords and usernames), but had to toss out more than 257 million pairs for being either unreadable or obviously test accounts.
How to create and manage passwords
To make sure to limit the extent of a data breach upon your account security, make sure that all of your passwords are long, strong and unique.
Length is currently the most important factor, as a 20-character password of random lowercase letters has less chance of being “cracked” than a 12-character password made up of lowercase and uppercase letters, digits and punctuation marks and other special characters.
But ideally, you’d want a long password of at least 15 characters made of absolute gibberish containing all four types of characters found on a common QWERTY computer keyboard.
To create and remember such passwords, and to make sure none of them is repeated, there’s no better solution that to use one of the best password managers.
The 100 worst passwords of 2020
Here are the 100 most commonly passwords, according to Hakçıl’s analysis. You shouldn’t be using any of these for any of your accounts.
- f***you [censored — the missing letters rhyme with “duck”]