A Look At 1 Billion Passwords

If you’ve been following any of my monthly tech updates, you’ve noticed the huge spike in leaks of database credentials. It seems almost every month that at least a few thousand (or more) usernames and passwords are appearing on hacker forums for sale.

Often times, hackers will distribute these databases for free after they get their money’s worth out of selling them. Those free databases have been put to good use, with Firefox (and others) creating services that alert users about compromised accounts.

Some additional good use has come out of these databases. One security researcher has analyzed more than a billion of these credentials, and noticed some interesting trends.

Password Trends

One big take-away from this is that most people have woefully inadequate passwords. Of the over 1 billion passwords, here are some of the discoveries:

  • Average password length is 9.48 characters.
  • The most common 1,000 passwords cover 6.6% (over 6 million) of all the passwords.
  • The most common 1 million passwords cover a staggering 36.28% of all the leaked passwords.
  • The most common password is “123456”. Yikes.
  • Almost 30% (28.79%) of all passwords are only letters.
  • And 26.16% (of all passwords) are lowercase letters. This means that if a password is only letters, it’s almost certainly all lowercase.
  • While 34% of the passwords end with digits, only 4.5% begin with digits.
  • Under 10% (8.8%) of the passwords were totally unique. The average length of these is still under 10 characters (9.79 characters).

What Does This Mean?

Well, the short version (like I’ve said many times before), is that you should be using a password manager (like LastPass) to generate and store random passwords for each online account you have.

You get security bonus points for using 2-Factor Authentication (2FA). But having a strong password means that 2FA becomes backup security rather than your primary protection.

But, there are a few other points that I think are worth mentioning:

  • Hackers that steal hashed (or encrypted) credential databases try to break the encryption by trying some “common” passwords and see if any of them match.
  • The number of passwords they try depends on a lot of factors, but since it can be automated, it’s usually in the thousands.
  • This means that if you have a password in the top million, you’re at high risk for having it cracked.

If you want security, (but don’t want convenience), then you also have a good list of rules to improve password strength:

  • Make sure you password is over 10 characters long (15 is a good length to start).
  • Make sure you password contains uppercase and lowercase letters.
  • Make sure your password contains special characters and numbers.
  • Make sure your password starts with numbers.
  • Make sure your password is unique to a single site/account.

If you follow all these rules, you’ll likely end up with a pretty secure password.

Undoubtedly, the most difficult rule to follow is the last one – making sure each account/site has a unique password that is long enough and different enough.

You’ve been warned!