Jimmy's Blog Jimmy Ruska's Blog
Most common passwords list from 3 databases Posted on Saturday, February 28 2009

There has been three instances that I know of where a significant number of hacked account passwords have been publicly released. I have obtained the lists and made a thorough analysis of each of them, including the most common passwords and character frequencies. In total, there were 116782 passwords.

Singles.org Most Common Passwords

Rank%RepetitionsPass
11.02417123456
20.61250jesus
30.41168password
40.29118love
50.28312345678
60.283christ
70.1768jesus1
80.1665princess
90.1664blessed
100.1563sunshine
110.1352faith
120.13511234567
130.1250angel
140.1144single
150.1144lovely
160.1143freedom
170.140blessing
180.13912345
190.139grace
200.139iloveyou
210.09377777777
220.0937heaven
230.0937angels
240.0937shadow
250.09351234
260.0833tigger
270.0832summer
280.0831hope
290.0730looking
300.0729peace
310.0729mother
320.0729michael
330.0729shalom
340.0728rotimi
350.0728football
360.0727victory
370.0727happy
380.0727purple
390.0727john316
400.0727joshua
410.0626london
420.0626superman
430.0626church
440.0626loving
450.0625computer
460.0625mylove
470.0625praise
480.0625saved
490.0624richard
500.0624pastor

phpBB Most Common Passwords

Rank%RepetitionsPass
13.03868123456
22.19628password
31.45414phpbb
40.94269qwerty
50.8223612345
60.6171letmein
70.5916812345678
80.531511234
90.51145test
100.43124123
110.38108trustno1
120.3395dragon
130.3291hello
140.3190abc123
150.3188111111
160.3188123456789
170.387monkey
180.2983master
190.2365killer
200.2263123123
210.2263computer
220.2262asdf
230.258shadow
240.258internet
250.258whatever
260.256starwars
270.17501234567
280.1647cheese
290.1646pass
300.1645matrix
310.1645tigger
320.1544aaaaaa
330.1544pokemon
340.1544000000
350.1543superman
360.1543qazwsx
370.1440testing
380.1440football
390.14391
400.1338blahblah
410.1336654321
420.1336fuckyou
430.133611111
440.1336joshua
450.1235helpme
460.1235thomas
470.1235michael
480.1235biteme
490.1235forum
500.1234secret

Myspace Most Common Passwords

Rank%RepetitionsPass
10.24112password1
20.1677abc123
30.1258password
40.0945iloveyou1
50.0941iloveyou2
60.0941fuckyou1
70.0838myspace1
80.0836soccer1
90.0732iloveyou
100.0629iloveyou!
110.0526football1
120.0525fuckyou
130.0523123456
140.0522baseball1
150.0522soccer
160.0522123abc
170.0420hello1
180.0420qwerty1
190.0420summer1
200.0420monkey1
210.0419password2
220.0419nigger1
230.0419fuckyou!
240.0418nicole1
250.0418cheer1
260.0418asshole1
270.0418fuckyou2
280.0417blink182
290.0417poop
300.0417dancer1
310.0417jordan23
320.0315football
330.0314bitch1
340.0314orange1
350.0314soccer2
360.0314123456a
370.0314baseball
380.0314eagles1
390.0313volcom1
400.0313chris1
410.0313monkey
420.0313flower1
430.0313summer06
440.0312ashley1
450.0312love123
460.0312princess1
470.0312love
480.0312nigga1
490.0312fucker1
500.0312angel1

All 3 combined 250 most common passwords

Rank%RepetitionsPass
11.121308123456
20.73854password
30.35414phpbb
40.25294qwerty
50.2428112345
60.23265jesus
70.2225312345678
80.171951234
90.16187abc123
100.16185letmein
110.13147test
120.12143love
130.11133123
140.11124password1
150.1121hello
160.1118monkey
170.1115dragon
180.1112trustno1
190.09107111111
200.09105iloveyou
210.091021234567
220.0898shadow
230.0895123456789
240.0895christ
250.0893sunshine
260.0892master
270.0890computer
280.0888princess
290.0784tigger
300.0783football
310.0779angel
320.0776jesus1
330.0776123123
340.0776whatever
350.0674freedom
360.0673killer
370.0671asdf
380.0671soccer
390.0671superman
400.0671michael
410.0666cheese
420.0665internet
430.0665joshua
440.0564fuckyou
450.0564blessed
460.0563baseball
470.0559starwars
480.0559000000
490.0558purple
500.0558jordan
510.0558faith
520.0557summer
530.0557ashley
540.0556buster
550.0555heaven
560.0553pepper
570.04527777777
580.0452hunter
590.0451lovely
600.0451andrew
610.0451thomas
620.0451angels
630.0450charlie
640.0450daniel
650.04491111
660.0449jennifer
670.0449single
680.0449hannah
690.0448qazwsx
700.0448happy
710.0448matrix
720.0448pass
730.0448aaaaaa
740.0447654321
750.0447amanda
760.0447nothing
770.0446ginger
780.0446mother
790.0446snoopy
800.0446jessica
810.0446welcome
820.0445pokemon
830.0445iloveyou1
840.044511111
850.0445mustang
860.0445helpme
870.0444justin
880.0444jasmine
890.0444orange
900.0444testing
910.0443apple
920.0443michelle
930.0442peace
940.0442secret
950.04421
960.0442grace
970.0442william
980.0441iloveyou2
990.0441nicole
1000.0441666666
1010.0441muffin
1020.0441gateway
1030.0441fuckyou1
1040.0340asshole
1050.0340hahaha
1060.0340poop
1070.0340blessing
1080.0340blahblah
1090.0339myspace1
1100.0339matthew
1110.0339canada
1120.0339silver
1130.0339robert
1140.0339forever
1150.0338asdfgh
1160.0338rachel
1170.0338rainbow
1180.0338guitar
1190.0337peanut
1200.0337batman
1210.0337cookie
1220.0337bailey
1230.0337soccer1
1240.0337mickey
1250.0337biteme
1260.0336hello1
1270.0336eminem
1280.0336dakota
1290.0336samantha
1300.0336compaq
1310.0335diamond
1320.0335taylor
1330.0335forum
1340.0335john316
1350.0334richard
1360.0334blink182
1370.0334peaches
1380.0334cool
1390.0334flower
1400.0334scooter
1410.0333banana
1420.0333james
1430.0333asdfasdf
1440.0333victory
1450.0333london
1460.0333123qwe
1470.0333123321
1480.0332startrek
1490.0332george
1500.0332winner
1510.0332maggie
1520.0332trinity
1530.0332online
1540.0332123abc
1550.0332chicken
1560.0332junior
1570.0332chris
1580.0331passw0rd
1590.0331austin
1600.0331sparky
1610.0331admin
1620.0331merlin
1630.0331google
1640.0331friends
1650.0331hope
1660.0331shalom
1670.0330nintendo
1680.0330looking
1690.0330harley
1700.0330smokey
1710.03307777
1720.0330joseph
1730.0330lucky
1740.0330digital
1750.0330a
1760.0330thunder
1770.0330spirit
1780.0229bandit
1790.0229enter
1800.0229anthony
1810.0229corvette
1820.0229hockey
1830.0229power
1840.0229benjamin
1850.0229iloveyou!
1860.02291q2w3e
1870.0229viper
1880.0229genesis
1890.0228knight
1900.0228qwerty1
1910.0228creative
1920.0228foobar
1930.0228adidas
1940.0228rotimi
1950.0228slayer
1960.0228wisdom
1970.0227praise
1980.0227zxcvbnm
1990.0227samuel
2000.0227mike
2010.0227dallas
2020.0227green
2030.0227testtest
2040.0227maverick
2050.0227onelove
2060.0227david
2070.0227mylove
2080.0227church
2090.0227friend
2100.0227god
2110.0227destiny
2120.0226none
2130.0226microsoft
2140.0226222222
2150.0226bubbles
2160.022611111111
2170.0226cocacola
2180.0226jordan23
2190.0226ilovegod
2200.0226football1
2210.0226loving
2220.0226nathan
2230.0226emmanuel
2240.0226scooby
2250.0226fuckoff
2260.0226sammy
2270.0226maxwell
2280.0225jason
2290.0225john
2300.02251q2w3e4r
2310.0225baby
2320.0225red123
2330.0225blabla
2340.0225prince
2350.0225qwert
2360.0225chelsea
2370.022555555
2380.0225angel1
2390.0225hardcore
2400.0225dexter
2410.0225saved
2420.0225112233
2430.0225hallo
2440.0225jasper
2450.0225danielle
2460.0225kitten
2470.0224cassie
2480.0224stella
2490.0224prayer
2500.0224hotdog




Myspace Phising: 47380 Account Passwords

In 2006 there was a large scale phishing attack on myspace accounts. Someone found the file on the server where the compromised accounts were being saved to. 47380 emails / passwords were found. A password analysis was done here and here.

phpBB.com: 28644 Account Passwords

In January 2009 someone noticed an exploit listed on milw0rm for PHPlist, a newletter manager. They found it was running phpBB.com's server and used the exploit to steal passwords of users that logged in over the coming weeks. The hacker wasn't caught but rather made a blogspot account and bragged about it uploading the entire user database (passwords encrypted) and the usernames and passwords of those who logged in while he or she was in control. 28644 username and passwords were uploaded to file sharing sites. A password analysis was done here.

Singles.org: 40758 Account Passwords

On Feb 21 2009 it was discovered that singles.org, a christian dating network, did not have any security at all. Logging in and going to 'edit profile', you can see your email, password and other information. The problem is if you give someone the link anyone else can see it too, without logging in. Since the only thing different from person to person was the userid, people just changed the number to see other people's email and password information. Someone made a bot to loop through the pages and captured 40758 username and passwords, then released it to the public. It was later confirmed ebaumsworld did it.

Demographics differences of the pass lists

Myspace is mostly teens, phpBB is a forum and singles.org is a christian dating site. Teens tend to be more up to date on technology and use better passwords. Myspace also requires that the password be at least 6 characters I believe (the hack was in 2006 so they didn't require numeric also maybe). Teens are more likely to use references to pop culture than dictionary words or first names. Also since the myspace list is from a phishing attempt aware people often used the fields to insult the scammer so there's a lot more noise to the list. People tend to use throw away accounts on forums like phpbb because they only sign up to get an answer real quick. Also brute force attacks are much more difficult since it uses captchas and limits login attempts. Singles.org is for christians so you'll see more biblical related passwords.

Brute Force wordlist susceptibility analysis

If I had done a brute force attack on all the users this is how many accounts I would have compromised with different dictionaries. The % indicated how successful the dictionary is as a whole, or it could be interpreted as the percent chance each individual account has of being hacked by the associated dictionary.


ListSingles.org%phpBB%Myspace%
First names500912%460216%8542%
Dictionary720018%1573955%21635%
Milw0rm1074326%2087873%40278%
Insidepro1426435%1980769%29046%

About the word lists

Firstnames is a list of 5495 parsed first names from ssa.gov and the wikipedia entry of most common given names. Dictionary represents a parsed version of the open office english dictionary (hunspell actually) containing 62220 words. Milw0rm is a a list of cracked passes from milw0rm.com that were submitted to their hash cracker. Insidepro has a english wordlist with many common passes.

The problem is, tiny but efficient lists like the firstnames list can easily be used against web forms that don't have captchas for their login in a practical amount of time. It's even faster with sites like twitter and tumblr with efficient APIs or ajax based logins that send very small amounts of data for validation or can be checked simply by the http return code (eg. 302 for fail, login redirect, and 200 for success). The guy that vandalized 33 twitter profiles actually just did a brute force dictionary attack on a twitter admin and found her password was 'happiness'. They probably won't limit login attempts because many twitter apps rely on connecting to thousands of users accounts from the same servers. Multithreaded pipelined programs on high bandwidth connections can easily do several hundred to a few thousands of requests per minute. SSL slows things down significantly but it's still possible to brute force.

Most Common Password Length


Singles.org
Pass LengthAmountFrequency
81285531.54%
61271231.19%
7905222.21%
535518.71%
422075.41%
33170.78%
2500.12%
1100.02%
phpbb.com
Pass LengthAmountFrequency
61007235.19%
8443015.48%
7418014.6%
5380413.29%
4351812.29%
910893.8%
38372.92%
103271.14%
21550.54%
1980.34%
11630.22%
12260.09%
13140.05%
1640.01%
1440.01%
1520.01%
Myspace
Pass LengthAmountFrequency
71155824.39%
81082022.84%
6873418.43%
9769316.24%
10558611.79%
1110492.21%
56711.42%
45001.06%
123480.73%
131250.26%
14710.15%
3400.08%
16290.06%
15220.05%
1160.03%
2150.03%
18130.03%
17120.03%
63100.02%
2390.02%
1990.02%
2090.02%
2450.01%
2540.01%
2230.01%
3230.01%
6030.01%
2130.01%
2830.01%
Combined
Pass LengthAmountFrequency
63151826.99%
82810524.07%
72479021.23%
987827.52%
580266.87%
462255.33%
1059135.06%
311941.02%
1111120.95%
123740.32%
22200.19%
131390.12%
11240.11%
14750.06%
16330.03%
15240.02%
18140.01%
17120.01%
20110.01%
63100.01%
2390.01%
1990.01%


Character Frequency Analysis

Shows which numbers, letters, etc. occur the most often in the password and at what percent. See the wikipedia article on most common letter frequencies. Targeted character sets can be used to more quickly brute force longer possibilities with a reasonable pace.









Singles.org
LetterAmountFrequencyASCII
e238758.84%0x65
a219708.13%0x61
o162346.01%0x6f
s151205.6%0x73
i146515.42%0x69
n139855.18%0x6e
r137335.08%0x72
l129714.8%0x6c
t102053.78%0x74
m87933.25%0x6d
183483.09%0x31
d81123%0x64
c74842.77%0x63
h71742.66%0x68
u68592.54%0x75
y66372.46%0x79
b64652.39%0x62
g61452.27%0x67
260262.23%0x32
p51981.92%0x70
047421.75%0x30
k44951.66%0x6b
344171.63%0x33
741111.52%0x37
440471.5%0x34
536021.33%0x35
j35581.32%0x6a
635251.3%0x36
f31921.18%0x66
931221.16%0x39
w30661.13%0x77
v30051.11%0x76
828241.05%0x38
z12420.46%0x7a
x8270.31%0x78
q3710.14%0x71
_630.02%0x5f
@40%0x40
.40%0x2e
phpbb
LetterAmountFrequencyASCII
e157168.95%0x65
a154348.79%0x61
o110936.32%0x6f
r107666.13%0x72
s104215.93%0x73
n93435.32%0x6e
i92105.24%0x69
t83914.78%0x74
l76574.36%0x6c
m57243.26%0x6d
d56793.23%0x64
154883.13%0x31
p54353.1%0x70
c49612.83%0x63
h47932.73%0x68
b42862.44%0x62
236432.07%0x32
u35862.04%0x75
g32241.84%0x67
332101.83%0x33
w31971.82%0x77
k30791.75%0x6b
y29661.69%0x79
423461.34%0x34
f22641.29%0x66
522411.28%0x35
619241.1%0x36
013330.76%0x30
v13320.76%0x76
j11300.64%0x6a
x9700.55%0x78
q9630.55%0x71
89570.54%0x38
79570.54%0x37
z9430.54%0x7a
97980.45%0x39
*870.05%0x2a
@100.01%0x40
70%0x20
.60%0x2e
;60%0x3b
$50%0x24
#30%0x23
!30%0x21
-20%0x2d
^20%0x5e
/20%0x2f
,20%0x2c
%20%0x25
`10%0x60
&10%0x26
~10%0x7e
_10%0x5f
MySpace
LetterAmountFrequencyASCII
e287327.71%0x65
a260977%0x61
1233576.27%0x31
o203365.46%0x6f
s182224.89%0x73
i180324.84%0x69
r174894.69%0x72
l170614.58%0x6c
n159564.28%0x6e
t132273.55%0x74
2127513.42%0x32
c115353.1%0x63
m105922.84%0x6d
b90942.44%0x62
d90862.44%0x64
y90672.43%0x79
h90122.42%0x68
u85262.29%0x75
384362.26%0x33
084212.26%0x30
k75082.02%0x6b
p71191.91%0x70
g68041.83%0x67
458921.58%0x34
957861.55%0x39
853271.43%0x38
552381.41%0x35
651181.37%0x36
747511.28%0x37
f45321.22%0x66
w39621.06%0x77
v37681.01%0x76
j34540.93%0x6a
!18990.51%0x21
z15470.42%0x7a
x15010.4%0x78
.10800.29%0x2e
q5610.15%0x71
*3030.08%0x2a
2270.06%0x20
-1760.05%0x2d
$1390.04%0x24
@1280.03%0x40
_1220.03%0x5f
<1100.03%0x3c
?830.02%0x3f
'680.02%0x27
;640.02%0x3b
,520.01%0x2c
=350.01%0x3d
/290.01%0x2f
`280.01%0x60
:260.01%0x3a
]230.01%0x5d
)190.01%0x29
~120%0x7e
(120%0x28
%110%0x25
[90%0x5b
^70%0x5e
>40%0x3e
}30%0x7d
"30%0x22
{20%0x7b
n10%0xfc
S10%0xe4
²10%0xfd
Ö10%0x99
G10%0xe2
É10%0x90
|10%0x7c
¬10%0xa9
í10%0xa1
All Combined
LetterAmountFrequencyASCII
e683238.35%0x65
a635017.76%0x61
o476635.82%0x6f
s437635.35%0x73
r419885.13%0x72
i418935.12%0x69
n392844.8%0x6e
l376894.61%0x6c
1371934.54%0x31
t318233.89%0x74
m251093.07%0x6d
c239802.93%0x63
d228772.8%0x64
2224202.74%0x32
h209792.56%0x68
b198452.42%0x62
u189712.32%0x75
y186702.28%0x79
p177522.17%0x70
g161731.98%0x67
3160631.96%0x33
k150821.84%0x6b
0144961.77%0x30
4122851.5%0x34
5110811.35%0x35
6105671.29%0x36
w102251.25%0x77
f99881.22%0x66
798191.2%0x37
997061.19%0x39
891081.11%0x38
j81420.99%0x6a
v81050.99%0x76
z37320.46%0x7a
x32980.4%0x78
!19020.23%0x21
q18950.23%0x71
.10900.13%0x2e
*3900.05%0x2a
2340.03%0x20
_1860.02%0x5f
-1780.02%0x2d
$1440.02%0x24
@1420.02%0x40
<1100.01%0x3c
?830.01%0x3f
;700.01%0x3b
'680.01%0x27
,540.01%0x2c
=350%0x3d
/310%0x2f
`290%0x60
:260%0x3a
]230%0x5d
)190%0x29
~130%0x7e
%130%0x25
(120%0x28
[90%0x5b
^90%0x5e
>40%0x3e
"30%0x22
#30%0x23
}30%0x7d
{20%0x7b
Ö10%0x99
&10%0x26
S10%0xe4
²10%0xfd
¬10%0xa9
|10%0x7c
É10%0x90
G10%0xe2
í10%0xa1
n10%0xfc


Someone could have a database with your info on it

It's possible your account information has already been hacked before. Huge sites like thepiratebay, reddit, stage6, kaspersky, credit card online payment services, bitdefender and monster.com (several times) to name a few have all been hacked or had backup drives stolen. Given it's pretty damaging information it would be no surprise that companies don't report such things. Singles.org said it reset all the passwords for 'maintenance' instead of acting immediately urging all users to change their passwords for any other account that used the same pass. In the meantime screenshots of vandalized facebooks, emails with messages to everyone in the address book saying the person has aids or has converted to islam, and even abused paypal and amazon payments were showing up. It's also possible the site administrators don't even realise their server has been compromised and the hacker can log any password for as long as they go undetected, as with the case of the phpbb hack. If your information is being sent to another server when you click login it doesn't make a difference how your pass is being hashed in the database. Even if your passwords are encrypted in a one way hash brute force attacks are possible and as cpu and gpu capabilities increase passwords only get weaker and easier to crack. Myspace, youtube, facebook accounts, etc are relatively safe so long as they have a captcha. You're more likely to get your password hacked from some random not-so-popular site or forum that you might have long forgot about by now.

Final Notes

It's a shame people's username are most often longer and much more harder to guess than their actual passwords. More time is spent thinking of a unique username than password because most are already taken in sites with a huge userbase. You should never use the same password for all your accounts and should always use a completely different password for your email, a password you use nowhere else. Recently a lot of screenshots of vandalism using singles.org email / facebook accounts have popped up. Once a hacker gets into your email they can get all the other passwords you might use for different accounts. People don't think hackers would go out of their way to hurt them personally but it's usually the case that they get their hands on a database and just go through the list without personally knowing anyone, looking for financial data or just being trolls. Many sites are hacked by script kiddies with no programming skills who lurk for exploits which they can copy and paste and use their favorite apps to try to brute force the passwords which are encrypted.

The myspace list has a higher probability of inaccuracy as several people could have noticed it was a phising site and filled it out inaccurately just to flood or put offensive things just attacking the person phising. I tried to filter out the obvious fake responses and remove dupes. There's always the chance people make several accounts with different email addresses and it skews the results; this shouldn't skew the results too much given the amount of accounts.

More Analysis to come maybe

  1. What percentage of accounts would have been hacked after x time of being brute forced (All possibilites, not wordlists) using cuda gpu bruteforcers if the passwords were stored as md5.
  2. What percentage of accounts have numbers at the end and what are the most common eg 0-9, 007, 666, 2009
  3. More dictionary tests
  4. % only alphanumeric and numeric

More

Most common passwords and how hackers get your password.




Tags: phpbb password analysis, myspace password analysis, most common passwords, most common passwords of all time, paswords, pasword, 4chan, 4 chan, pass word, hackers wordlists, word lists, security analysis, operation jesus, ebaums world singles.org, ebaumsworld, anonymous, most common passwords anaylsis, analysis of phpbb passwords



stumble digg delicious


Blog by Jimmy Ruska
Add me: Youtube, Twitter, Facebook, MySpace

Share:

More OMFG-Good Links

See all Posts in the Funny Pictures category.
Download mp3s faster than limewire using google.
I've made 100+ free video tutorials.
See the best of the internet today on one page.