Every year SplashData releases a list of the world's worst passwords, and for the last five years that list hasn't changed much. While the list is an amusing look at password blunders, the real lessons are in how and why those passwords exist in the first place.
Salted Hash has collected some raw data in order to help clarify some of these lessons.
After cracking a list of passwords leaked to the Darknet in 2015, two observations were immediately clear; people have taken classic password creation advice to heart, but no one has taught them that technology has rendered it obsolete.
The other lesson is that humans are really bad at doing random. It isn't in us to create a random password that someone with a dictionary and a set of rules can't crack.
The world's worst passwords
The following table contains the world's worst passwords (Top 25) according to SplashData
It's true, each one of the passwords in the table above are comical examples of password-based security. And yet, if altered slightly, some of them will pass many of the corporate password policies that are used worldwide.
Such policies might seem familiar: Passwords should be X characters in length (usually 5-8, sometimes longer), using a mix of both uppercase and lowercase letters, digits, and special characters.
Such policies are designed to protect corporate assets and users, but they're easily predicted by password cracking software and skilled attackers. Moreover, these policies are the same ones people use outside of the office to create their own passwords, and again, they're vulnerable to the same set of flaws.
Enter MMO Kings
In late 2015, someone compromised the MMO Kings database and leaked it. The leaked data included unsalted MD5 password hashes, which (next to clear text) is the worst possible way to store passwords in a database.
For those who don't know, MMO Kings is a website that allows gamers (such as those on World of Warcraft) to purchase gold or other in-game currencies for actual cash, but it also offers a power leveling services.
Salted Hash took the leaked hashes and spent a small amount of time cracking them using Hashcat on Kali Linux. After the passwords were cracked, we ran some stat analysis using Pipal (created by Robin Wood) and Passpal by T. Alexander Lystad.
In all, the leaked hash list included 89,872 accounts. After removing 22,324 duplicate hashes, we were left with a list 67,547 to crack.
As a testament to the weakness of common passwords, such as those highlighted by SplashData, and the weakness of non-random password generation – it took less than three minutes to crack 74-percent of the hashes.
In under an hour, we had cracked 54,473 hashes, or about 80-percent of the list.
A second clean up was performed, which removed a single blank password, as well as 556 duplicate passwords. It's worth noting that within the removed set, there were 20 accounts that used an email address as a password – something you should never do.
This left us with a list of 53,917 passwords to examine.
Note: The passwords were cracked with Hashcat. The process included a single NVIDIA GeForce GTX 970 GPU, the RockYou.com wordlist (which includes the SplashData set from the last five years), and various rules that ran against the wordlist. In all, we gave the hash list ten passes before we felt we had enough data to work with.
Of the passwords recovered from the hash list, 76-percent of them contained 1-8 characters, thus, only 24-percent of them were more than 8 characters in length.
As a side note, there were 11,593 passwords recovered that used a maximum of 6 characters.
Passwords this small can be easily recovered with modern tools and hardware, suggesting that the accounts were either non-essential to the user, or they picked something personal and easy to remember.
Given that most of the passwords recovered included dates, months, or days of the week, the personal nature of these smaller passwords is almost a sure bet.
Yet, the standout metric in the recovered password list are the base words. These are the words used to create the final password when stripped of variation and additions.
Compare the table below to the SplashData list and look at the common elements.
The most common characters in the recovered passwords are:
a e 1 o r n 2 i s l
The most common symbols:*
! @ - . * # _ ? )
*Please note that a blank space is included on this list, fourth spot from the right
The base word list and the common character stats prove that people are still using the password creation rules of old. So the problem isn't the weak passwords as highlighted by SplashData, it's the construction methodologies and policies that govern them.
Passwords with a minimum of eight characters, uppercase and lowercase letters, numbers, and symbols were solid rules to live by ten years or so ago. But that was then, these days those rules are obsolete when stacked against modern technology.
Again, in 45 minutes we cracked 80-percent of the list using basic words and common cracking rules, that's far from a professional job.
However, every day professionals crack passwords the world over during Red Team engagements with the same set of tools, because nothing stronger is needed. That's a problem.