Analysis of 500 million passwords shows what you should avoid

Get a copy of the upcoming book "Secure Operations Technology"

A dump of over 550 million username and password combinations is currently being sold on underground forums, and eager crooks are paying for the privilege to test them out against many online services.

Their hope is that some of these combinations will work and they will be able to hijack and misuse legitimate accounts. That hope is not in vain: it is a well known fact of life that too many users reuse the same login credentials for too many services.

Duo Security researchers have gotten their hands on this particular dump – named “Anti Public Combo List” – and have analyzed it.

What the analysis revealed

They found that the top ten list of most used passwords is quite similar to many previously compiled ones: “12345”, “123456789”, “abc123”, “password”, and “password1” head it.

Judging by the email domains contained in the email addresses (usernames) in the dump, it mostly consists of consumer email accounts, opened at Yahoo, Aol, Live.com, MSN, etc.

“By filtering for domains of the Fortune 1000 companies and manually removing domains that are used for consumer email (like yahoo.com and facebook.com), we found that only about 1 million (1.7%) of the accounts in the dump were from domains of large companies,” the researchers noted.

They also pointed users to Have I Been Pwned?, a service run by security researcher Troy Hunt, that can help them check whether any of their account credentials have been compromised in the last few years – and to secure them if they have.

Additional insight from the dumped passwords is as follows:

  • Most users like to stick to short passwords:

    analysis 500 million passwords

  • 70% of passwords had at least 1 number (probably due to password requirements)
  • Only 6% passwords contain uppercase letters and only 4% symbols (again, password requirements probably play a role).

Some tips about choosing better passwords

“A surprisingly low result was for the space character, which is allowed by many systems, but was only present in 0.03% of passwords examined,” the researchers noted.

“This suggests that an attacker might be less likely to include space in their set of search characters, and users would be wise to keep in mind that spaces can often be valid password characters when choosing. One easy way to incorporate spaces is by using passphrases: entire phrases that you use as a password, assuming you don’t get stopped by draconian maximum lengths.”

No matter how much we want to never again be forced to use passwords, the current reality is that we still have to.

So do yourself a favor and choose long, complex, unique ones for every account. Or, better yet, use a password manager, and let it choose them for you.