Turkish student and independent researcher Ata Hakçıl has done great jobhaving studied over a billion different logins and passwords. He collected such a huge dump for analysis from open sources: all this data was once “leaked” to the network as a result of various information security incidents.
Such dumps have been accumulating on the network for more than a dozen years, and their number only grows as new companies break into. Finding them is not difficult at all – such collections of credentials are available on GitHub and GitLab, are freely distributed on hacker forums, through file sharing apps and so on. It is also worth noting that large companies have long collected such dumps in order to warn their users about the danger. For example, Google, Microsoft and Apple use leaked logins and passwords to create their own warning systems that inform people when they use a weak or already compromised password.
Hackel writes that in a huge collection he managed to find 168,919,919 unique passwords and, as it turned out, more than 7,000,000 of them are the password “123456” (every one hundred forty-second password). Let me remind you that specialists have long been saying that the 123456 sequence is the most used password in the world and has been leading with a wide margin for at least five years.
The researcher also estimated that the average password length is 9.48 characters, although information security experts usually recommend using longer passwords (from 16 to 24 characters). Password complexity was also a problem, since only 12% of the total number of passwords contains at least one special character.
Worse, in the vast majority of cases, users choose the simplest passwords: use only letters (29%) or only numbers (13%). In fact, this means that approximately 42% of all passwords are vulnerable to commonplace dictionary attacks and brute force.
Other interesting findings from the Hackchel report:
- out of 1,000,000,000+ studied lines, 257,669,588 were filtered out as damaged or test;
- in fact, a billion credentials contained only 168,919,919 unique passwords and 393,386,953 usernames;
- the most common password is “123456”, it occurs in approximately 0.722% of cases;
- The 1000 most common passwords, which is approximately 6.607% of all learned passwords;
- the average password length is 9.4822 characters;
- only 12.04% of passwords contain special characters;
- 8.79% of passwords contain only letters;
- 26.16% of passwords contain lowercase characters only;
- 13.37% of passwords contain only numbers;
- 34.41% of all passwords end in numbers, but only 4.522% of passwords begin with numbers.