Ata Hakcil, a Turkish computer engineer and researcher, accessed 1 billion login credentials leaked online and analyzed 170 million of them to study password trends. The results are quite revealing, and may prompt many Internet users to pay more attention to how they choose passwords to protect their most sensitive information.
Among Hakcil’s “cool” stats revealed by his analysis:
- 1 Billion credentials boil down to 168,919,919 passwords and 393,386,953 usernames.
- The most common password is 123456. It covers roughly 0.722% of all the passwords used. This equates to about 7 million uses per billion, or one out of every 142 passwords found on the Internet, making it the weakest known password.
- The most common 1000 passwords cover 6.607% of all the passwords used.
- The most common 1 million passwords had a hit-rate of 36.28%, and among the most common 10 million passwords, the hit rate was 54%, meaning that any brute force test of those top 10 million passwords would have a better than 50/50 chance of succeeding.
- The average password length is 9.4822 characters.
- 12.04% of passwords contain special characters.
- 28.79% of passwords are letters only.
- 26.16% of passwords are lowercase only.
- 13.37% of passwords are numbers only.
- 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.
- 83% of the passwords are unique – they were only found once.
- Their average length was 9.7965 characters.
- Only 7.082% of these passwords contain special characters
- 20.02% of these passwords are letters only, and 15.02% are only lowercase.
- The average length of lowercase unique passwords was 9.3694 characters.
Since only 12% to 13% of passwords (1 in 8) contained any special character or number, it is a good practice to include them, especially at the beginning. Since the cyber criminals who might be attempting to brute force credentials also know this, they are unlikely to expend much effort on them. Instead, they will focus on the 29% of passwords that only use letters. So, when special characters and numbers are used, it greatly reduces the chances that the password will be successfully cracked.
The research also revealed that the average password length is far too short at just 9 characters. Cyber security experts recommend at least 16 characters, but preferably 24 or more, and that they not be reused across multiple systems and services.
To avoid falling into a predictable pattern when choosing passwords, use a random password generator. Also use a password manager like LastPass, which is essential for keeping track of the growing number of passwords we all use on a daily basis.
Continued Credential Leakage
The number of leaked credential collections continues to grow as more government agencies and corporations continue getting hacked and their databases exfiltrated. These databases are eventually made available online or distributed on hacking forums and file-sharing portals. Setting strong passwords is the easiest and most effective way to enforce data security and safeguard personal privacy.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.