The 32 most popular passwords

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Darth Wong
Registered User
Posts: 2401
Joined: Wed Jul 03, 2002 5:20 am
Location: Toronto, Canada
Name: Michael Wong

The 32 most popular passwords

Post by Darth Wong »

http://www.thestar.com/news/sciencetech ... get-hacked

From the article, based on 32 million passwords which were stolen from the Rockyou! website by a hacker, we can compile the 32 most popular passwords:
  1. 123456
  2. 12345
  3. 123456789
  4. password
  5. iloveyou
  6. princess
  7. rockyou (yes, the domain name of the website)
  8. 1234567
  9. 12345678
  10. abc123
  11. nicole
  12. daniel
  13. babygirl
  14. monkey
  15. jessica
  16. lovely
  17. michael
  18. ashley
  19. 654321
  20. qwerty
  21. iloveu
  22. michelle
  23. 111111
  24. 0
  25. tigger
  26. password1
  27. sunshine
  28. chocolate
  29. anthony
  30. angel
  31. FRIENDS (yes, all caps)
  32. soccer
Yes, people are really that stupid.
User avatar
onehundredandtwo
Registered User
Posts: 1228
Joined: Fri Nov 14, 2008 8:07 am

Re: The 32 most popular passwords

Post by onehundredandtwo »

Actually, there was a similar article done on the passwords stolen in 2009. Most of the passwords that were cracked would have been easy-to-guess passwords and passwords used before phpBB.com converted to phpBB3.
http://www.darkreading.com/blog/archive ... sword.html
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: The 32 most popular passwords

Post by Techie-Micheal »

Websites need to start forcing people to use more complex passwords. It says a lot about a website if "0" is in the list of the top 32 passwords ...
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Sam
Former Team Member
Posts: 2082
Joined: Thu Jan 22, 2009 3:59 am
Location: Sacramento, CA
Name: Sam Thompson

Re: The 32 most popular passwords

Post by Sam »

Techie-Micheal wrote:Websites need to start forcing people to use more complex passwords. It says a lot about a website if "0" is in the list of the top 32 passwords ...
I can't remember the last website I was on where you are allowed a password one character long.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: The 32 most popular passwords

Post by Techie-Micheal »

SyntaxError90 wrote:
Techie-Micheal wrote:Websites need to start forcing people to use more complex passwords. It says a lot about a website if "0" is in the list of the top 32 passwords ...
I can't remember the last website I was on where you are allowed a password one character long.
Well, apparently Rockyou! is one of those websites. :P And I've seen others that allow it as well, so they aren't alone in that mistake.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53609
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: The 32 most popular passwords

Post by Brf »

In computer classes we always used

Code: Select all

P@ssw0rd
Very secure.... Contains upper and lower case letters, a number, and punctuation.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: The 32 most popular passwords

Post by Techie-Micheal »

Brf wrote:In computer classes we always used

Code: Select all

P@ssw0rd
Very secure.... Contains upper and lower case letters, a number, and punctuation.
Very secure, except that you just told us what it was. :P
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Cpt. Blackbeard
Registered User
Posts: 443
Joined: Sat Oct 31, 2009 4:39 am
Location: USA

Re: The 32 most popular passwords

Post by Cpt. Blackbeard »

Hey, how did you get a copy of my password list? :D
Passwords will always be the weakest link. If you have a lot of them you either keep them simple, bad, or you write them down, bad. Either method is a security risk, the second just limits it to whoever finds your list.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: The 32 most popular passwords

Post by Techie-Micheal »

Cpt. Blackbeard wrote:Hey, how did you get a copy of my password list? :D
Passwords will always be the weakest link. If you have a lot of them you either keep them simple, bad, or you write them down, bad. Either method is a security risk, the second just limits it to whoever finds your list.
Or, you can have a scheme like some of us do to have memorable passwords and complex passwords. My stronger passwords are 16+ characters in length, but I can still remember them. They have upper and lowercase letters, numbers, and punctuation. Now, I'm not saying the way I do it is the best way, but it works, the passwords (well, the non-throwaway) are complex, long, and I don't have to worry about them. My point is, there is a third option. :)
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Cpt. Blackbeard
Registered User
Posts: 443
Joined: Sat Oct 31, 2009 4:39 am
Location: USA

Re: The 32 most popular passwords

Post by Cpt. Blackbeard »

There's no way I could remember a large number of complex passwords, and most people have well over a dozeb or two to keep track of.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: The 32 most popular passwords

Post by Techie-Micheal »

Cpt. Blackbeard wrote:There's no way I could remember a large number of complex passwords, and most people have well over a dozeb or two to keep track of.
That's why you come up with a scheme to remember them. ;) Some people create passwords based off of the domain name and other things. I use other methods, and they work for me. They aren't the best, but they work.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean

Re: The 32 most popular passwords

Post by Erik Frèrejean »

Cpt. Blackbeard wrote:Hey, how did you get a copy of my password list? :D
Passwords will always be the weakest link. If you have a lot of them you either keep them simple, bad, or you write them down, bad. Either method is a security risk, the second just limits it to whoever finds your list.
Or you use a password manager which keeps track of all your passwords but encrypts them. That way you only need to memorize one strong password to unlock the manager. Of course it isn't bullet proof, but it allows me to use complex++ passwords (for things like online banking) and I don't have to remember them :P
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)
User avatar
god0fgod
Registered User
Posts: 227
Joined: Wed May 30, 2007 5:25 pm

Re: The 32 most popular passwords

Post by god0fgod »

I find myself clicking "Forgot password?" a bit. XD

I'm not going to reveal anything else for reasons that should be unknown.
Kim_Possible
Registered User
Posts: 1343
Joined: Sun Sep 21, 2008 3:57 pm

Re: The 32 most popular passwords

Post by Kim_Possible »

I personally use a password manager (KeypassX) as Erik Frèrejean described but if I had to choose between:
Cpt. Blackbeard wrote: you either keep them simple, bad, or you write them down, bad.
I'd write them down. For me, "physical security" is probably much less of a risk than having my accounts compromised by someone guessing/brute forcing my weak but memorable passwords. This was probably not the case when I had roommates, lived in the dorm, etc.
User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34459
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run

Re: The 32 most popular passwords

Post by A_Jelly_Doughnut »

Not only is there the concern of weak passwords that everyone knows like "qwerty" and "password", but there is also the set of weak passwords that are unique to you.

I'm sure it is a common experience for someone to see a Facebook or Twitter message that was not posted by the person who owns the account. Often something along the lines of
Richard Clarke loves men!
One of my friends whom this happened two is a Republican bodybuilder from California. Guess what his Facebook password was?

I think this is also evidenced with all the proper names on the top 32 list in the OP. Set your password to your (girl|boy)friend's first name.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish

Return to “General Discussion”