Ata Hakçıl, a Turkish student and independent researcher, has done a great job examining over a billion different usernames and passwords. The researcher found that every 142nd password is “123456”.
He collected such a huge dump for analysis from open sources: all this data was once “leaked” to the network after various information security incidents.
Such dumps have been accumulating on the network for more than a dozen years, and their number only grows as new companies break into. Finding them is not difficult at all – such collections of credentials are available on GitHub and GitLab, are freely distributed on hacker forums, through file sharing apps and so on.
It is also worth noting that large companies have long been collecting such dumps in order to warn their users about the danger. For example, Google, Microsoft and Apple use leaked logins and passwords to create their own warning systems that inform people when they use a weak or already compromised password.
“In a huge collection he managed to find 168,919,919 unique passwords and, as it turned out, more than 7,000,000 of them are the password “123456 ”(every one hundred forty-second password),” – writes Hakçil.
Specialists have long been warning that the 123456 sequence is the most used password in the world and has been leading with a wide margin for at least five years. Also recall that according to Researchers from Carnegie Mellon University, users seldom change passwords even after data leaks.
The researcher also estimated that the average password length is 9.48 characters, although information security experts usually recommend using longer passwords (from 16 to 24 characters). Password complexity was also a problem, since only 12% of the total number of passwords contain at least one special character.
Worse, in the vast majority of cases, users choose the simplest passwords: use only letters (29%) or only numbers (13%). In fact, this means that approximately 42% of all passwords are vulnerable to commonplace dictionary attacks and brute force.
Other interesting findings from the Hakçıl report:
- out of 1,000,000,000+ studied lines, 257,669,588 were filtered out as damaged;
- In fact, a billion credentials contained only 168,919,919 unique passwords and 393,386,953 usernames;
- the most common password is “123456”, it occurs in approximately 0.722% of cases;
- The 1000 OF most common passwords is approximately 6.607% of all learned passwords;
- The average password length is 9.4822 characters;
- only 12.04% of passwords contain special characters;
- 8.79% of passwords contain only letters;
- 26.16% of passwords contain lowercase characters only;
- 13.37% of passwords contain only numbers;
- 34.41% of all passwords end with numbers, but only 4.522% of passwords begin with numbers.