It is “123456”, based on the analysis of 32 million breached passwords, obtained from last month’s RockYou.com server breach, from which researchers from Imperva were able to analyze the insecure practices used by millions of users when choosing their passwords.

What did their analysis conclude? Short passwords, lack of lower-capital-numeric characters mix, and trivial dictionary words, which every decent brute forcing/password recovery application can find out in a matter of minutes.

Key findings include:


In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
About 30% of users chose passwords whose length is equal or below six characters
Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”
The rest of the passwords rated by popularity:


http://img249.imageshack.us/img249/7158/impervapasswordspopular.jpg



More info:
http://blogs.zdnet.com/security/?p=5325&tag=wrapper;col1

I'm glad I try to use special characters and non-english words in my passwords.

You better believe it that most communities systems allow for underscores, dashes, etc. My mother used spaces herself as well as case.

I like to mix it up and use 123456` sometimes, though I don't here.

I like to mix it up and use 123456` sometimes, though I don't here.
Where? I want to know :P

P.S.: I'm juuust kidding... :P

Where? I want to know :P

P.S.: I'm juuust kidding... :P
And I was just about to tell you, too.

I like to mix it up and use 123456` sometimes, though I don't here.

I do the same... Sometimes I use 123456789. :D

worrying to kow that avariation of one of my ost used passwords is in there, although i add upper case and numbers at various points to harden it.

I have been told that the short form "1234" is actually more user-friendly.

the hacked site is not really a site requiring a high security password, so the data is not very useful.

I too use crappy passwords for unimportant things. (no my password for this forum is not on the top 20 list ;) )
Only important sites, like banking/email etc., have (very) good passwords.

That's because of the obsolete notion of "passwords." Choose passphrases people! Even a simple sentence like "Thequickbrownfoxjumps" is incredibly secure.

I just use a password manager that randomly generates a 20 character alphanumerial password.

Does that count?

That's because of the obsolete notion of "passwords." Choose passphrases people! Even a simple sentence like "Thequickbrownfoxjumps" is incredibly secure.
I just ran a test on your "super secure" passphrase. I cracked it in less than 4 seconds.

That's why you should mix capital and lowercase letters, symbols, and numbers into your password.
I don't, but I should. :P

I just ran a test on your "super secure" password. I cracked it in less than 4 seconds.
How did you test it? Hit your head on the wall three times and see if you still remember it?

Frak....Go to www.grc.com/passwords.htm and tell me how secure these passwords are...??
Robert

I wonder what would happen to the results if it also counted people who use their birth date as password.

How did you test it? Hit your head on the wall three times and see if you still remember it?
I have an Ajax password checker that checks passwords against my own custom engine that returns an estimated amount of time to finding an indicated password.

That's amazing! I got the same combination on my luggage!

(Sorry, had to be said. For those of you who don't get the reference, you're lucky)

I use hunter2 for my password

I have an Ajax password checker that checks passwords against my own custom engine that returns an estimated amount of time to finding an indicated password.Does this include the overhead of requesting to login with each new password at the Web site in question?

Dear GAWD people. How is it NO ONE has posted a linky to Youtube yet?????


http://www.youtube.com/watch?v=K95SXe3pZoY

Does this include the overhead of requesting to login with each new password at the Web site in question?
OK, add on an additional .1 or .2 seconds per request.

I can't believe that no one has used this one yet: 012345

Just had to do it.:)

Is there a good random password generator on ubuntu?

Is there a good random password generator on ubuntu?
KeePassX

OK, add on an additional .1 or .2 seconds per request.
Actually, I timed it at closer to .05 (Gmail's mighty servers,) but still. Given the huge number of requests it will take to brute force that password, your best case scenario is something like 208827064576 requests (assuming you knew 14 of the letters already and worst-case scenario for the other 8,) or about 331 years. More realistically it's going to be far longer. Plus if you generate that kind of density of wrong passwords, most websites will either throw a captcha at you or delay you for 5 minutes, or something like that.

With a dictionary based attack, your chances are better. According to this page:
http://www.paulnoll.com/Books/Clear-English/English-3000-common-words.html
"Fox" somewhere between the 2600th and 2800th most commonly used English word, and I guess you could say it's the "hardest" word in the passphrase (most unusual.) "Quick" is between 1000 and 1200. "Brown" is between 800 and 1000. "jump" is between 1200 and 1400. Ignoring "The" as a giveaway and ignoring capitalization, assuming best-case numbers within those ranges I gave, assuming a dictionary-based attack which statistically prefers the most common words, that is still some crazy huge number I don't even know how to calculate. A random guess is 1000*800*2600*1200 = 2496000000000, but that can't be right because the guesser doesn't know how long the password is, and it doesn't know how much of the password it has gotten correctly.


If you have a really nice computer (if I recall your previous posts, you have a dual quad-core Xeon setup available?) you could brute force that password locally with no network installed. But unless I am thinking about this seriously wrong (always a possibility,) even a large-ish botnet would likely be tied up for millennia brute-forcing that password on an actual website.

This would get noticed as a DDoS attack and/or ancient relic from bygone civilizations, far before that password was cracked.


Unless you know something I don't, which again is always possible.

I suppose you could create a program that uses a range of passwords to scan for.

I suppose you could create a program that uses a range of passwords to scan for.

You should write one in C++

You should write one in C++

Actually, look here:

https://launchpad.net/libenccrack

Actually, I timed it at closer to .05 (Gmail's mighty servers,) but still. Given the huge number of requests it will take to brute force that password, your best case scenario is something like 208827064576 requests (assuming you knew 14 of the letters already and worst-case scenario for the other 8,) or about 331 years. More realistically it's going to be far longer. Plus if you generate that kind of density of wrong passwords, most websites will either throw a captcha at you or delay you for 5 minutes, or something like that.

With a dictionary based attack, your chances are better. According to this page:
http://www.paulnoll.com/Books/Clear-English/English-3000-common-words.html
"Fox" somewhere between the 2600th and 2800th most commonly used English word, and I guess you could say it's the "hardest" word in the passphrase (most unusual.) "Quick" is between 1000 and 1200. "Brown" is between 800 and 1000. "jump" is between 1200 and 1400. Ignoring "The" as a giveaway and ignoring capitalization, assuming best-case numbers within those ranges I gave, assuming a dictionary-based attack which statistically prefers the most common words, that is still some crazy huge number I don't even know how to calculate. A random guess is 1000*800*2600*1200 = 2496000000000, but that can't be right because the guesser doesn't know how long the password is, and it doesn't know how much of the password it has gotten correctly.


If you have a really nice computer (if I recall your previous posts, you have a dual quad-core Xeon setup available?) you could brute force that password locally with no network installed. But unless I am thinking about this seriously wrong (always a possibility,) even a large-ish botnet would likely be tied up for millennia brute-forcing that password on an actual website.

This would get noticed as a DDoS attack and/or ancient relic from bygone civilizations, far before that password was cracked.


Unless you know something I don't, which again is always possible.
If I was doing this professionally, I would be using a farm of independent servers. That and dropping cookies/sessions each request + IP change. This is what we did when we done penetration testing for our contracting corporation. Of course, going after the PHP interpreter was a MUCH faster alternative.

Fair enough. The passphrases I normally use are typically 40-50 characters, with capitalization, spaces, numbers, and punctuation. They're still easy to remember. Kind of a pain to type if you can't see it, but I love the look on someone's face if he's looking at my keyboard as I log into something! :D And usually if someone tried logging into one of my accounts 45,000,000 times an hour the past few days, I will be notified upon login and have plenty of warning to move all sensitive info somewhere safer. Or the website will go down. But of course the strongest password in the world won't stop someone with a path of lesser resistance.

In any case, the goal is to not make it impossible, but to make it not worth the trouble.

Actually, look here:

https://launchpad.net/libenccrack

That went better than I expected.

That went better than I expected.
And it didn't end in Kenny Rogers.

And it didn't end in Kenny Rogers.



#include <kenny.h>

int main(int argc, char *argv[]) {
while (1) {
croon();
}

return 0;
}

Dear Internet:

I was here, and Conan O'Brien told me to.