Proper Passwords
Every now and then security researchers stumble over a database which holds user data like account names and passwords. Amazingly, each and every time the passwords seem to be the same when analysed.
This time Tõnu Samuel found such a database and counted the passwords. While he tried to spot differences between male and female password choosing habits, for me the most interesting part is the overall view. The top ten passwords are:
| Password | Gender | Occurrences |
|---|---|---|
| 123456 | M | 17601 |
| password | M | 4545 |
| 12345 | M | 3480 |
| 1234 | M | 2911 |
| 123 | M | 2492 |
| 123456789 | M | 2225 |
| 123456 | F | 1885 |
| qwerty | M | 1883 |
| 12345678 | M | 1791 |
| <NAME-OF-PORTAL-WAS-HERE> | M | 1489 |
So the best guess for a user password is still 123456. This isn’t coincidence – just take a look at the ‘Top 500 worst passwords of all time’.
When it comes to choose a password, you should always have such statistics in mind. Also dictionary attacks are quite usual – with all permutations like word combination, backwards spelling, capital letters in all positions, ‘leet substitution’ (31337) and also adding numbers.
A good password doesn’t contain words that you can find in a dictionary. Try to take the first letters of the words of a sentence that you can remember. Make some of them capital and add special signs and numbers. An example: ‘My two Children are getting up at 7 a.m. in the morning.’ could result in ‘M2Cagua7amitm’. There are still special signs missing, but you get the point. This password is also long enough to make brute force or rainbow table attacks less likely to be successful.
Dirk Knop
Technical Editor