Every year SplashData releases a list of the world's worst passwords, and for the last five years that list hasn't changed much. While the list is an amusing look at password blunders, the real lessons are in how and why those passwords exist in the first place.
Salted Hash has collected some raw data in order to help clarify some of these lessons.
After cracking a list of passwords leaked to the Darknet in 2015, two observations were immediately clear; people have taken classic password creation advice to heart, but no one has taught them that technology has rendered it obsolete.
The other lesson is that humans are really bad at doing random. It isn't in us to create a random password that someone with a dictionary and a set of rules can't crack.
The world's worst passwords
The following table contains the world's worst passwords (Top 25) according to SplashData
| 123456 | password | 12345678 | qwerty | 12345 |
| 123456789 | football | 1234 | 1234567 | baseball |
| welcome | 1234567890 | abc123 | 111111 | 1qaz2wsx |
| dragon | master | monkey | letmein | login |
| princess | qwertyuiop | solo | passw0rd | starwars |
It's true, each one of the passwords in the table above are comical examples of password-based security. And yet, if altered slightly, some of them will pass many of the corporate password policies that are used worldwide.
Such policies might seem familiar: Passwords should be X characters in length (usually 5-8, sometimes longer), using a mix of both uppercase and lowercase letters, digits, and special characters.
Such policies are designed to protect corporate assets and users, but they're easily predicted by password cracking software and skilled attackers. Moreover, these policies are the same ones people use outside of the office to create their own passwords, and again, they're vulnerable to the same set of flaws.
Enter MMO Kings
In late 2015, someone compromised the MMO Kings database and leaked it. The leaked data included unsalted MD5 password hashes, which (next to clear text) is the worst possible way to store passwords in a database.
For those who don't know, MMO Kings is a website that allows gamers (such as those on World of Warcraft) to purchase gold or other in-game currencies for actual cash, but it also offers a power leveling services.
Salted Hash took the leaked hashes and spent a small amount of time cracking them using Hashcat on Kali Linux. After the passwords were cracked, we ran some stat analysis using Pipal (created by Robin Wood) and Passpal by T. Alexander Lystad.
Collection:
In all, the leaked hash list included 89,872 accounts. After removing 22,324 duplicate hashes, we were left with a list 67,547 to crack.
As a testament to the weakness of common passwords, such as those highlighted by SplashData, and the weakness of non-random password generation – it took less than three minutes to crack 74-percent of the hashes.
In under an hour, we had cracked 54,473 hashes, or about 80-percent of the list.
A second clean up was performed, which removed a single blank password, as well as 556 duplicate passwords. It's worth noting that within the removed set, there were 20 accounts that used an email address as a password – something you should never do.
This left us with a list of 53,917 passwords to examine.
Note: The passwords were cracked with Hashcat. The process included a single NVIDIA GeForce GTX 970 GPU, the RockYou.com wordlist (which includes the SplashData set from the last five years), and various rules that ran against the wordlist. In all, we gave the hash list ten passes before we felt we had enough data to work with.
The other lesson is that humans are really bad at doing random. It isn't in us to create a random password that someone with a dictionary and a set of rules can't crack.
The world's worst passwords
The following table contains the world's worst passwords (Top 25) according to SplashData
| 123456 | password | 12345678 | qwerty | 12345 |
| 123456789 | football | 1234 | 1234567 | baseball |
| welcome | 1234567890 | abc123 | 111111 | 1qaz2wsx |
| dragon | master | monkey | letmein | login |
| princess | qwertyuiop | solo | passw0rd | starwars |
It's true, each one of the passwords in the table above are comical examples of password-based security. And yet, if altered slightly, some of them will pass many of the corporate password policies that are used worldwide.
Such policies might seem familiar: Passwords should be X characters in length (usually 5-8, sometimes longer), using a mix of both uppercase and lowercase letters, digits, and special characters.
Such policies are designed to protect corporate assets and users, but they're easily predicted by password cracking software and skilled attackers. Moreover, these policies are the same ones people use outside of the office to create their own passwords, and again, they're vulnerable to the same set of flaws.
Enter MMO Kings
In late 2015, someone compromised the MMO Kings database and leaked it. The leaked data included unsalted MD5 password hashes, which (next to clear text) is the worst possible way to store passwords in a database.
For those who don't know, MMO Kings is a website that allows gamers (such as those on World of Warcraft) to purchase gold or other in-game currencies for actual cash, but it also offers a power leveling services.
Salted Hash took the leaked hashes and spent a small amount of time cracking them using Hashcat on Kali Linux. After the passwords were cracked, we ran some stat analysis using Pipal (created by Robin Wood) and Passpal by T. Alexander Lystad.
Collection:
In all, the leaked hash list included 89,872 accounts. After removing 22,324 duplicate hashes, we were left with a list 67,547 to crack.
As a testament to the weakness of common passwords, such as those highlighted by SplashData, and the weakness of non-random password generation – it took less than three minutes to crack 74-percent of the hashes.
In under an hour, we had cracked 54,473 hashes, or about 80-percent of the list.
A second clean up was performed, which removed a single blank password, as well as 556 duplicate passwords. It's worth noting that within the removed set, there were 20 accounts that used an email address as a password – something you should never do.
This left us with a list of 53,917 passwords to examine.
Note: The passwords were cracked with Hashcat. The process included a single NVIDIA GeForce GTX 970 GPU, the RockYou.com wordlist (which includes the SplashData set from the last five years), and various rules that ran against the wordlist. In all, we gave the hash list ten passes before we felt we had enough data to work with.
The stats:
Of the passwords recovered from the hash list, 76-percent of them contained 1-8 characters, thus, only 24-percent of them were more than 8 characters in length.
As a side note, there were 11,593 passwords recovered that used a maximum of 6 characters.
Passwords this small can be easily recovered with modern tools and hardware, suggesting that the accounts were either non-essential to the user, or they picked something personal and easy to remember.
Given that most of the passwords recovered included dates, months, or days of the week, the personal nature of these smaller passwords is almost a sure bet.
Yet, the standout metric in the recovered password list are the base words. These are the words used to create the final password when stripped of variation and additions.
Compare the table below to the SplashData list and look at the common elements.
| password | dragon | blue | qwerty | shadow |
| mike | alex | monkey | killer | soccer |
| andrew | michael | john | pass | gold |
| chris | hello | silver | death | master |
The most common characters in the recovered passwords are:
a e 1 o r n 2 i s l
The most common symbols:*
! @ - . * # _ ? )
*Please note that a blank space is included on this list, fourth spot from the right
The base word list and the common character stats prove that people are still using the password creation rules of old. So the problem isn't the weak passwords as highlighted by SplashData, it's the construction methodologies and policies that govern them.
Passwords with a minimum of eight characters, uppercase and lowercase letters, numbers, and symbols were solid rules to live by ten years or so ago. But that was then, these days those rules are obsolete when stacked against modern technology.
Again, in 45 minutes we cracked 80-percent of the list using basic words and common cracking rules, that's far from a professional job.
However, every day professionals crack passwords the wold over during Red Team engagements with the same set of tools, because nothing stronger is needed. That's a problem.
Building a better password:
Passwords aren't going anywhere anytime soon. There has been some serious progress made in the authentication market over the last few years, and perhaps eventually passwords will go away altogether. But until that happens, passwords are what we have.
When it comes to developing a password policy for your organization or for yourself, the key thing to remember is - perfection isn't going to happen. Let it go. You'll never develop a perfect, impossible to crack password. It's not going to happen.
Humans cannot do random, and m@k1ng Y0ur P@55w0rd l00k 1ik3 th15 isn't going to help1234.
Eventually, given enough time and resources, someone or something can crack your password. The key is to make that process expensive in both time and effort.
As far as application development and password protection is concerned, organizations would be wise to follow OWASP advice [details here], including no limits on character sets and long max lengths (up to 160 characters) for passwords.
In addition, passwords should be salted and use an adaptive one-way function, such as PBKDF2, scrypt, or bcrypt.
For the rest of us, the easiest path would be to use a password manager.
There are several out there, including KeePass, 1Password,Dashlane, and LastPass. Recently, LastPass had some security problems, but to be fair they did address them quickly once the issue was brought to their attention.
(Note: I have never used Dashlane, but I have had it recommended to me. They have a free offering as well as a paid version.)
Why a password manager?
The rule has been drilled into the public for years – you need a long, randomly generated password for each website you have an account on. However, remembering all of those passwords is near impossible, so instead people pick a single password – one they assume is secure – and use it everywhere.
That's where the problem starts. Using the same password across multiple websites, or a variation of the same password, never works. The moment one account is compromised, all others are placed at risk.
Password managers remove the requirement to remember those long strings of random characters. They even remove the problems with randomness during the creation step, because they'll create a proper random password for you.
Now, all anyone has to do is remember the single master password that makes all the other passwords available for use.
Generating a solid master password:
One fantastic way to generate a solid master password is to use Diceware.
In 1995, Arnold Reinhold developed Diceware as a means to help people create strong and memorable PGP passwords.
You start with a wordlist (this one to be exact) and then roll five (5) six-sided die. Each roll will correspond to a word in the list. The goal is to get at least six words, but eight is best (for now). Anything less is risky.
There's a whole science behind Diceware, and it's a great way to develop something both memorable and secure, which has no real connection to you personally. If you wanted to support a small business, a sixth grader in New York City will develop a Diceware password for you, the cost is $4 per password.
Once you have a Diceware password generated, it isn't going to take too much effort to remember it. Another reason why it makes for a solid master password is the overall length and the randomness in which it was created.
If you don't want to use a Diceware password, and you'd prefer to create you own, theSANS guidelines are a solid starting point.
The best bet these days is to use a password manager and to generate a random, lengthy password, for each website you've got an account on. From there, use a master password that is long, such as a phrase that if ever spoken aloud, would make absolutely no sense to anyone around you. That's where Diceware comes in to play.
Pop Quiz:
For the password crackers out there, here's a test of sorts.
The following is an MD5 of generated Diceware password. No salt, nothing special. Can you crack it? If you so, how long did it take? Email me with your guesses. The first person with the correct answer gets a mention in a future post, as well as $50 to the charity of their choice.