Most Commonly Used Password List – Avoid It
Importance of Strong Passwords
Passwords are like your keys to online security. It is a pity that despite understanding the need of strong passwords, most people still continue to use weak passwords.
Convenience of use and security are often at diagonally opposite ends, when it comes to web applications. People fall for convenience and avoid using strong passwords, because they do not want to get into the hassles of remembering strong passwords. But, we always give more importance to PC Security then convenience.
And in case, you want to have your cake and eat it too, then you always have the option of using a good password manager like Roboform.
Most Commonly Used Password List – Is Your Password There on the List?
Recently a popular website Rockyou.com was hacked to steal the passwords of several of its users, which landed on a few hacker’s fora. Imperva has published an analysis of the data and some of the findings are really interesting.
- About 30% of users chose passwords whose length is equal or below six characters.
- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”.
Here is a list of the top 20 most commonly used passwords in the list.
How Such Lists of Most Commonly Used Passwords Help the Hackers
If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one
success per 111 attempts.
Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.
And the problem is exponential. After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts.
[Link to Complete Report (pdf)]