PHREAK: Alright, what are the three most commonly used passwords?
JOEY: love, secret, and uh, sex. But not in that order, necessarily, right?
CEREAL: Yeah but don’t forget GOD. System operators love to use GOD. It’s that whole male ego thing.
Analyses of various password leaks:
- 32 million RockYou passwords (December 2009)
- 47,380 phished MySpace passwords (2006), 28,644 phpBB.com mailing list passwords (January 2009), and 40,758 singles.org passwords (February 2009)
- 10,000 phished Hotmail passwords (October 2009)
- 8,000 Comcast passwords (March 2009)
I think it is interesting that as bad as the passwords in Hackers seem, the passwords people actually use are somehow even worse. Where it’s allowed, 123456 always takes the number one spot, usually by a huge margin; in the RockYou leak, 123456 was used 4x more than its closest competitor (12345). When purely numeric password are forbidden, password is the clear winner, and continues to take the number one spot as requirements are added.
Require a capital letter? Password Number? password1 Both? Password1
The top three I’d try, without knowing the requirements: