Now, it\u2019s time for us to guess it.<\/p>\n\n\n\n
Is it Superman7red<\/em>? No, no: Batman3Orange<\/em>? If we guessed any one of the individual answers correctly, it\u2019s because humans are predictable. And that\u2019s the problem with passwords. True, we gave ourselves the advantage of some sneakily chosen questions, but that\u2019s nothing compared to the industrial-scale sneakiness of purpose-built password-breaking software. HashCat, for instance, can take 300,000 guesses at your password a second (depending on how it\u2019s hashed), so even if you chose Hawkeye6yellow<\/em>, your secret phrase would, sooner or later, not be secret anymore.<\/p>\n\n\n\n\n\n Creating a robust passwords list can often be challenging as many individuals resort to simplistic combinations of words, numbers, and symbols. This is commonly due to our inclination towards using readily memorable patterns. Our exploration aims to delve deeper into this issue, offering insights on how one’s mind operates when constructing these (oftentimes not so unique) sequences. This understanding could potentially enhance our approach towards creating secure, yet memorable, entries for a passwords list.<\/p>\n\n\n\n We began by choosing two data sets to analyze.\u200b<\/p>\n\n\n\n The first data set is a dump of 5 million credentials that first showed up in September 2014 on a Russian BitCoin forum.1<\/sup> They appeared to be Gmail accounts (and some Yandex.ru), but further inspection showed that, while most of the emails included were valid Gmail addresses, most of the plain-text passwords were either old Gmail ones (i.e. no longer active) or passwords that were not used with the associated Gmail addresses. Nevertheless, WordPress.com reset 100,000 accounts and said that a further 600,000 were potentially at risk.2<\/sup> The dump appears to be several years\u2019 worth of passwords that were collected from various places, by various means. For our academic purposes, however, this didn\u2019t matter. The passwords were still chosen by Gmail account holders, even if they weren\u2019t for their own Gmail accounts and given that 98 percent were no longer in use, we felt we could safely explore them.3<\/sup><\/p>\n\n\n\n We used this data set, which we\u2019ll call the \u201cGmail dump,\u201d to answer demographic questions (especially those related to the genders and ages of password-choosers). We extracted these facts by searching the 5 million email addresses for any that contained first names and years of birth. For example, if an address was John.Smith1984@gmail.com, it was coded as a male born in 1984. This method of inference can be tricky. We won\u2019t bore you with too many technical details here, but by the end of the coding process, we had 485,000 of the 5 million Gmail addresses coded for gender and 220,000 coded for age. At this point, it\u2019s worth bearing in mind the question, \u201cDo users who include their first names and years of birth in their email addresses choose different passwords than those who don\u2019t?\u201d\u2014because it\u2019s theoretically possible they do. We\u2019ll discuss that more a bit later.<\/p>\n\n\n\n For now, though, here\u2019s how the users we coded were divided by decade of birth and gender.<\/p>\n\n\n\n The Gmail dump, or at least those people in it with first names and\/or years of birth in their addresses, was skewed toward men and people born in the \u201980s. This is probably because of the demographic profiles of the sites whose databases were compromised to form the dump. Searching for addresses in the dump that contained the + symbol (added by Gmail users to track what sites do with their email addresses), revealed that a large number of the credentials originated from File Dropper, eHarmony, an adult tube site, and Friendster.<\/p>\n\n\n\n The second data set, and the one we\u2019ve used to gather most of our results, was generously released by security consultant Mark Burnett, through his site xato.net.4<\/sup> It consists of 10 million passwords, which were gathered from all corners of the web over a period of several years. Mark collected publicly dumped, leaked, and published lists from thousands of sources to build possibly one the most comprehensive lists of real passwords ever. <\/p>\n\n\n\n We won\u2019t spend too long giving you really basic facts about this data set (like all the averages). That\u2019s been done many times before. Instead, let\u2019s just look at the 50 most used passwords of the 10 million. Then we\u2019ll step into potentially more interesting territory.<\/p>\n\n\n\n As you can see, and probably already know, the most common passwords are all shining examples of things that straight away pop into someone\u2019s mind when a website prompts him or her to create a password. They are all extremely easy to remember and, by virtue of that fact, child\u2019s play to guess using a dictionary attack. When Mark Burnett analyzed 3.3 million passwords to determine the most common ones in 2014 (all of which are in his bigger list of 10 million), he found that 0.6 percent were 123456<\/em>. And using the top 10 passwords, a hacker could, on average, guess 16 out of 1,000 passwords.<\/p>\n\n\n\n However, fewer people than in previous years are using the kinds of passwords seen above. Users are becoming slightly more conscious of what makes a password strong. For instance, adding a number or two at the end of a text phrase. That makes it better, right?<\/p>\n\n\n\n Nearly half a million, or 420,000 (8.4 percent), of the 10 million passwords ended with a number between 0 and 99. And more than one in five people who added those numbers simply chose 1<\/em>. Perhaps they felt this was the easiest to remember. Or maybe they were prompted by the site to include a number with their base word choice. The other most common choices were 2, 3, 12<\/em> (presumably thought of as one-two, rather than 12), 7<\/em>, and so on. It\u2019s been noted that when you ask a person to think of a number between one and 10, most say seven or three (hence our guesses in the introduction), and people seem to have bias toward thinking of prime numbers.6, 7<\/sup> This could be at play here, but it\u2019s also possible that single digits are chosen as alternatives to passwords people already use but want to use again without \u201ccompromising\u201d their credentials on other sites.<\/p>\n\n\n\n It\u2019s a moot point, though, when you consider that a decent password cracker can very easily append a number, or several thousand, to its dictionary of words or brute-force approach. What a password\u2019s strength really comes down to is entropy.<\/p>\n\n\n\n In simple terms, the more entropy a password has, the stronger it tends to be. Entropy increases with the length of the password and the variation of the characters that comprise it. However, while the variation in the characters used does affect its entropy score (and how hard it is to guess), the length<\/em> of the password is more significant. This is because as the password gets longer, the number of ways its constituent parts can be shuffled into a new combination gets exponentially larger and therefore, much harder to take wild guesses at.<\/p>\n\n\n\n The average length of a password from the Gmail dump was eight characters (e.g. password<\/em>), and there was no significant difference between the average length of men\u2019s passwords compared to women\u2019s.<\/p>\n\n\n\n What about entropy? Which is a more accurate reflection of password strength than character length alone? The average entropy of a password from the Gmail dump was 21.6, which isn\u2019t a particularly easy thing to conceptualize. The chart on the left gives a clearer picture. Again, there was only a negligible difference between the men and women, but there were a lot more passwords with close to zero entropy than over 60.<\/p>\n\n\n\n The example passwords vary by a character or two as the entropy ranges. Generally speaking, the entropy scales with length, and increasing the range of characters by including numbers, capitals, and symbols helps too.<\/p>\n\n\n\n So how did we calculate entropy for all 5 million passwords from the Gmail dump?<\/p>\n\n\n\n There are lots of ways to calculate password entropy, and some methods are more rudimentary (and less realistic) than others. The most basic assumes that a password can only be guessed by trying every single combination of its characters. A more intelligent approach, however, recognizes that humans\u2014as we\u2019ve seen\u2014are addicted to patterns, and therefore certain assumptions can be made about most of their passwords. And based on those assumptions, rules for attempting to guess their passwords can be established and used to significantly speed up the cracking process (by chunking combinations of characters into commonly used patterns). It\u2019s all very clever and we can take no credit for it. Instead, credit goes to Dan Wheeler, who created the entropy estimator we used. It\u2019s called Zxcvbn, and it can be seen and read about in detail here<\/a>.8<\/sup><\/p>\n\n\n\n In brief, it builds a \u201cknowledge\u201d of how people unknowingly include patterns in their passwords into its estimation of what a good password cracker would need to do to determine those patterns. For example, password<\/em>, by a naive estimation, has an entropy of 37.6 bits. Zxcvbn, however, scores it zero (the lowest and worst entropy score) because it accounts for the fact that every word list used by password crackers contains the word password<\/em>. It does a similar thing with other more common patterns, like leet speak (adding numb3rs to words to m@ke them seemingly less gue55able).<\/p>\n\n\n\n It also scores other passwords, which at first glance look very random, as having zero entropy. qaz2wsx<\/em> (the 30th most common password), for instance, looks pretty random, right? In fact, it\u2019s anything but. It\u2019s actually a keyboard pattern (an easily repeatable \u201cwalk\u201d from one key on a keyboard to the next). Zxcvbn itself is named after one such pattern.<\/p>\n\n\n\n We pulled out the 20 most used keyboard patterns from the 10 million passwords data set. We chose to exclude patterns of numbers, like 123456<\/em>, because they\u2019re only sort of keyboard walks, and there are also so many of them at the top of the most used password list that there wouldn\u2019t have been space to see some of the more interesting ones if we had included them.<\/p>\n\n\n\n Nineteen of the 20 keyboard patterns above look about as predictable as you might expect, except for the last one: Adgjmptw<\/em>. Can you guess why that ranked among the most used patterns?<\/p>\n\n\n\n You probably don\u2019t need to, as you\u2019ve almost certainly already looked below.<\/p>\n\n\n\n Although we very much doubt we\u2019re the first to spot it, we\u2019ve not yet found any other reference to this keyboard pattern being among the most commonly used in passwords. Yet it ranks 20th above.<\/p>\n\n\n\n In case you haven\u2019t realized, it\u2019s generated by pressing 2<\/em> through 9<\/em> on a smartphone\u2019s dial pad (the first letter of each corresponding to each letter of the key pattern in the password).<\/p>\n\n\n\n We were initially confused about this pattern because most people don\u2019t type letters with a dial pad; they use the QWERTY layout. Then we remembered phones like Blackberries, which have a physical keyboard with numbers always in view on the keys.<\/p>\n\n\n\n This pattern poses an interesting question: How will password selection change as more people create them on touch devices that make certain characters (like symbols and capitals) harder to select than when using a regular keyboard?<\/p>\n\n\n\n Of course, keyboard patterns, especially those above, are no problem at all for any good password cracker. Passpat<\/a> uses several keyboard layouts and a clever algorithm to measure the likelihood that a password is made from a keyboard pattern.9<\/sup> And other tools exist for generating millions of keyboard patterns, to compile and use them as a list, rather than wasting time trying to crack the same combinations by brute force.10<\/sup><\/p>\n\n\n\n Most people don\u2019t use keyboard patterns though. They stick to the classic and frequently insecure method of choosing a random word.<\/p>\n\n\n\n Now you can see why we guessed Batman<\/em> and Superman<\/em> at the start of this article: they are the most used superhero names in the 10 million passwords data set. An important point about the above lists is that it\u2019s sometimes hard to know in what sense a person uses a word when they include it in their password. For example, in the colors list, black<\/em> might sometimes refer to the last name Black<\/em>; the same goes for other words with dual contexts. To minimize this issue when counting the frequencies of the above words, we approached each list separately. The colors, for example, were only counted when passwords started with the name of the color and ended with numbers or symbols. This way, we avoided counting red<\/em> in Alfred<\/em> and blue<\/em> in BluesBrothers<\/em>. Using this conservative approach will, of course, mean we missed many legitimate names of colors, but it seems better to know the above list only contains \u201cdefinites.\u201d<\/p>\n\n\n\n Other lists had different rules. We didn\u2019t include cats and dogs in the animals list because cat appears in too many other words. Instead, we counted cats<\/em> and dogs<\/em> separately and found that they\u2019re used an almost identical number of times. However, cats<\/em> is used a lot more in conjunction with Wild-<\/em> and Bob-<\/em> (sports teams) than dogs<\/em> is used in other phrases. So we\u2019d say dogs<\/em> probably wins.<\/p>\n\n\n\n The most common nouns and verbs were only counted if they appeared in the top 1,000 nouns and top 1,000 verbs used in everyday English. Otherwise the lists would have been full of nouns like password<\/em> and verbs like love<\/em>.<\/p>\n\n\n\n Not that love<\/em> isn\u2019t an interesting word. It\u2019s actually used surprisingly often in passwords. We found it 40,000 separate times in the 10 million passwords and a lot in the 5 million Gmail credentials too.<\/p>\n\n\n\n When we counted the frequency of love<\/em> in the passwords of the people whose ages we inferred from their usernames, those born in the \u201980s and \u201990s used it slightly more often than older people.<\/p>\n\n\n\n In the Gmail data, 1.4 percent of the women\u2019s passwords contained love<\/em>, compared to 0.7 percent of men\u2019s. In other words, based on this data at least, women appear to use the word love<\/em> in their passwords twice as often as men. This finding follows in the footsteps of other recent research on the word love in passwords. A team at the University of Ontario Institute of Technology reported that ilove<\/em>[male name] was four times more common than ilove<\/em>[female name]; iloveyou<\/em> was 10 times more common than iloveme<\/em>; and <3 was the second most common method of combining a symbol with a number.11<\/sup><\/p>\n\n\n\n Now that we\u2019ve learned a bit about the most common words and numbers in passwords, the most used keyboard patterns, the concept of password entropy, and the relative futility of simple password obfuscation methods like leet speak, we can move onto our final port of call. It\u2019s the most personal and, potentially, the most interesting.<\/p>\n\n\n\n Mark Burnett notes on his website that password dumps are worryingly frequent.12<\/sup> Crawling fresh dumps is how he compiled the 10 million passwords data set, after all. The other events that seem to be hitting the headlines on an ever-more-frequent basis are high-profile hacks of celebrities and corporations. Jennifer Lawrence et al. and Sony immediately spring to mind. We were curious about how the Gmail data could potentially be used to determine which high-profile people were affected by this dump in particular. In other words, whose passwords were published? We did it by using Full Contact\u2019s Person API, which takes a list of email addresses and runs them through the APIs of several major social networking sites like Twitter, LinkedIn, and Google+. Then it provides new data points for any it finds, like age, gender, and occupation.13<\/sup><\/p>\n\n\n\n We already knew a few fairly high-profile people were in the Gmail dump. For instance, Mashable noted a month after the list was released that one of its reporters was included (the password listed for him was his Gmail password, but several years old and no longer in use).14<\/sup> But we didn\u2019t think Full Contact would turn up so many more.<\/p>\n\n\n\n Within the 78,000 matches we found, there were hundreds of very high-profile people. We\u2019ve selected about 40 of the most notable below. A few very important points:<\/p>\n\n\n\n 1. We\u2019ve deliberately not identified anyone by name.<\/p>\n\n\n\n 2. The company logos represent those organizations the individuals work for now<\/em> and not necessarily when they were using the password listed for them.<\/p>\n\n\n\n 3. There\u2019s no way of knowing where the passwords were originally used. They may have been personal Gmail passwords, but it\u2019s more likely that they were used on other sites like File Dropper. It\u2019s therefore possible that many of the weak passwords are not representative of the passwords the individuals currently use at work, or anywhere else for that matter.<\/p>\n\n\n\n 4. Google confirmed that when the list was published, less than 2 percent (100,000) of the passwords might have worked with the Gmail addresses they were paired with. And all affected account holders were required to reset their passwords. In other words, the passwords below\u2014while still educational\u2014are no longer in use. Instead, they\u2019ve been replaced by other, hopefully more secure, combinations.<\/p>\n\n\n\n If the passwords hadn\u2019t been reset, however, the situation would be more of a concern. Several studies have shown that a number of us use the same passwords for multiple services.15<\/sup> And given that the list below includes a few CEOs, many journalists, and someone very high up at the talent management company of Justin Bieber and Ariana Grande, this dump could have caused a lot of chaos. Thankfully it didn\u2019t, and now can\u2019t.<\/p>\n\n\n\n The most noticeable thing about the passwords above is how many of them would be woefully easy to guess if an offline cracking process were used against them. The strongest of the bunch once belonged to a GitHub developer (ns8vfpobzmx098bf4coj<\/em>) and, with an entropy of 96, it looks almost too random. It was probably created by a random password generator or password manager. The weakest belonged to a senior IBM manager (123456<\/em>), which\u2014conversely\u2014seems so basic that it was surely used for a throwaway sign-up somewhere. Many of the others strike enough of a balance between complexity and simplicity to suggest that their owners cared about making them secure and wanted to safeguard the accounts they were chosen for.<\/p>\n\n\n\n A couple of interesting standouts to finish: the Division Chief for the U.S. Department of State whose password (but not name) was linco1n<\/em> (Lincoln) and the Huffington Post writer who followed in Mulder\u2019s footsteps (from the X-Files) and chose trustno1<\/em>. And more generally, it\u2019s interesting to see just how many of the high-profile people we selected did exactly what so many of the rest of us do: combine our names, dates of birth, simple words, and a couple of numbers to make lousy passwords. We guess it makes sense though. Even President Obama recently admitted that he once used the password 1234567<\/em>. A password with a much higher entropy score would have been PoTuS.1776<\/em>. Although, to a clever cracker, that might have been a little obvious.<\/p>\n\n\n\n ***<\/p>\n\n\n\n So what about your own passwords? While reading this post you likely thought about yourself and wondered, \u201cCould somebody guess the password to my online banking, email, or blog?\u201d If you use one of the big email providers, like Gmail, you shouldn\u2019t have to worry too much about your password being guessed through a brute-force attack. Gmail cuts off illegitimate attempts almost immediately. Your online banking is likely similarly protected. If you have a blog, though, the situation is more complicated because\u2014in simple terms\u2014there are more potential ways for an attacker to find a way in, so each must be proactively secured to keep them out. The point is never to take password security for granted and come up with an easy but still hard to figure out a system to come up with a secure password.<\/p>\n\n\n\n The team at WP Engine spends a lot of time and continuous effort keeping our customer\u2019s WordPress sites secure. Our secure hosting platform for WordPress<\/a> integrates into WordPress itself and protects our customer\u2019s sites against brute-force attacks on their passwords with intelligent, reactive software that constantly learns and adapts to threats and takes action. We also safeguard our customer\u2019s from attacks that have nothing to do with password guessing, like sniffing login attempts and SQL injections. WP Engine provides the best managed hosting platform for WordPress<\/a>, powering brands and the enterprise to reach global audiences with WordPress technology.<\/p>\n\n\n\n Download our\u00a0WordPress security White Paper<\/a>\u00a0and learn about the 10 best practices for securing a WordPress deployment, including how to safely generate, store, and regularly change passwords, and check out WP Engine’s premium hosting<\/a> solutions to create the best possible digital experiences on the world’s favorite CMS.<\/p>\n\n\n\n 1. http:\/\/www.dailydot.com\/crime\/google-gmail-5-million-passwords-leaked\/<\/p>\n\n\n\n 2. http:\/\/www.eweek.com\/blogs\/security-watch\/wordpress-resets-100000-passwords-after-google-account-leak.html<\/p>\n\n\n\n 3. https:\/\/xato.net\/passwords\/ten-million-passwords<\/p>\n\n\n\n 4. https:\/\/xato.net\/passwords\/ten-million-passwords-faq\/<\/p>\n\n\n\n 5. http:\/\/groups.csail.mit.edu\/uid\/deneme\/?p=628<\/p>\n\n\n\n 6. http:\/\/micro.magnet.fsu.edu\/creatures\/pages\/random.html<\/p>\n\n\n\n 7. http:\/\/www.dailymail.co.uk\/news\/article-2601281\/Why-lucky-7-really-magic-number.html<\/p>\n\n\n\n 8. https:\/\/blogs.dropbox.com\/tech\/2012\/04\/zxcvbn-realistic-password-strength-estimation\/<\/p>\n\n\n\n 9. http:\/\/digi.ninja\/projects\/passpat.php<\/p>\n\n\n\n 10. https:\/\/github.com\/Rich5\/Keyboard-Walk-Generators<\/p>\n\n\n\n 11. http:\/\/www.thestar.com\/news\/gta\/2015\/02\/13\/is-there-love-in-your-online-passwords.html<\/p>\n\n\n\n 12. https:\/\/xato.net\/passwords\/understanding-password-dumps<\/p>\n\n\n\n 13. https:\/\/www.fullcontact.com\/developer\/person-api\/<\/p>\n\n\n\n 14. http:\/\/mashable.com\/2014\/09\/10\/5-million-gmail-passwords-leak\/<\/p>\n\n\n\n 15. http:\/\/www.jbonneau.com\/doc\/DBCBW14-NDSS-tangled_web.pdf<\/p>\n","protected":false},"excerpt":{"rendered":" A lot is known about passwords. Most are short, simple, and pretty easy to crack. But Much less is known about the psychological reasons a person chooses a specific password. Most experts recommend coming up with a strong password to avoid data breach. But why do so many internet users still prefer weak passwords? We’ve…<\/span><\/span><\/p>\n","protected":false},"author":1,"featured_media":146385,"template":"","resource-topic":[909],"resource-role":[895,903],"resource-type":[907],"class_list":["post-112287","resource","type-resource","status-publish","has-post-thumbnail","hentry"],"yoast_head":"\nComprehensive Passwords List: Important Points to Consider<\/h2>\n\n\n\n
![\"Revealed:](\"https:\/\/wpengine.com\/wp-content\/uploads\/2020\/11\/breakdown-compromised-creds.png\")
<\/figure>\n\n\n\n![\"Top](\"https:\/\/wpengine.com\/wp-content\/uploads\/2020\/11\/5-most-used-passwords.png\")
<\/figure>\n\n\n\n\u201cI\u2019ll Add a Number to Make it More Secure.\u201d<\/h2>\n\n\n\n
![\"Passwords](\"https:\/\/wpengine.com\/wp-content\/uploads\/2020\/11\/most-used-numbers-passwords-639x1024.png\")
<\/figure>\n\n\n\nEvaluating Password Entropy<\/h2>\n\n\n\n
![\"Creative](\"https:\/\/wpengine.com\/wp-content\/uploads\/2020\/11\/password-length-breakdown.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
![\"Best](\"https:\/\/wpengine.com\/wp-content\/uploads\/2020\/11\/commonkeyboardpatterns.gif\")
<\/figure>\n\n\n\n![\"Top](\"https:\/\/wpengine.com\/wp-content\/uploads\/2020\/11\/common-words-passwords-766x1024.png\")
<\/figure>\n\n\n\n![\"Creative](\"https:\/\/wpengine.com\/wp-content\/uploads\/2020\/11\/use-of-love-passwords-1.png\")
<\/figure>\n\n\n\nCreative Password Ideas for Secure Accounts<\/h2>\n\n\n\n
![\"Revealed:](\"https:\/\/wpengine.com\/wp-content\/uploads\/2020\/11\/passwords-notable-people-273x1024.png\")
<\/figure>\n\n\n\nReferences<\/strong><\/h2>\n\n\n\n