• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

New generation of Password Mass-Analysis (Password reuse study)

Recommended Posts

+warwagon    13,924

New generation of Password Mass-Analysis 

Quote

 

Curious about a statistic?

 

Please create an issue and explain what you want to learn, and if its interesting i'll query the thing and add the result!

Cool Stats

 

From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts.

1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames.

 

Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion)

Most common 1000 passwords cover 6.607% of all the passwords.

 

With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%.

 

Average password length is 9.4822 characters.

12.04% of passwords contain special characters.

28.79% of passwords are letters only.

26.16% of passwords are lowercase only.

13.37% of passwords are numbers only.

34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

 

Unique Passwords

 

8.83% of the passwords are unique - they were only found once.

Their average length was 9.7965 characters.

Surprisingly, just a fraction of these passwords are meaningless.

Only 7.082% of these passwords contain special characters - Rest matches ^[a-zA-Z0-9]$

20.02% of these passwords are letters only, and 15.02% is only lowercase.

Average length for lowercase-unique passwords were 9.3694 characters.

 

 
 
 
 

 

https://github.com/FlameOfIgnis/Pwdb-Public

 

I thought this was really interesting.  Just goes to show, how horrible people are with passwords.

 

If you can see that if the average password length is 9.7965 characters, hackers are not going to waste their time trying to brute force a password any longer than that, as this will get them into MOST passwords. While brute forcing, they can say, let's try all password combinations up to X number of characters, in this case 9-10.

 

If a hacker tried to brute force a password with a list of the top 10 Million passwords his success rate of guessing the correct password would be 54% or better than 50/50. That's Crazy!

  • Like 1

Share this post


Link to post
Share on other sites
cork1958    1,999

Yes, interesting. I don't know a single person that has ever used 123456 as a password though. Would really have to be a  moron to do that, IMO.

Share this post


Link to post
Share on other sites
+warwagon    13,924
4 hours ago, cork1958 said:

 Would really have to be a moron to do that, IMO.

would you really though? You just don't' have to give a crap about security and password or have much respect for either. It's why I've seen have the absolute worst passwords for their ISP email, such passwords as "Internet". It's also embarrassing for an ISP to allow them to use such a terrible password.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.