What do \u201chack,\u201d \u201croot,\u201d \u201cpass,\u201d and \u201chax\u201d have in common? They are all pretty pathetic as passwords, but they are hackers\u2019 favorite passwords just the same.When looking at passwords in general, \u201c123456\u201d bypassed \u201cpassword\u201d as the most common password in 2013, yet the usual horrible suspects were still found among the top 25 most commonly used and worst passwords. You might think hackers would know better, but apparently they are not better than regular Joes and Janes when it comes to choosing passwords.About 2,000 passwords belonging to hackers were leaked this week, revealing that \u201chackers use weak passwords just like the rest of us,\u201d Anton\u00edn H\u00fd\u017ea wrote on the Avast blog.After deciding to find out how strong hackers\u2019 passwords were, H\u00fd\u017ea started with 40,000 samples of passwords from backdoors, bots and shells that Avast has collected over the years. Of the 40,000, only about \u201c2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes.\u201dHere are some of H\u00fd\u017ea\u2019s findings:58% of hackers\u2019 passwords contained only the lower-case alphabet characters a-z. The most common lower-case letter is \u201ca\u201d and f, j, v, w, y, z were the least used.Only 20% of hackers\u2019 passwords used lower-case letters combined with numbers.Upper-case letters were rarely used, but when used they were either the first letter in the passwords or the entire password was shouting in CAPS LOCK. 5% combined upper-case and lower-case letters.A lowly 2% of hackers\u2019 passwords used a mixture of lower case, upper case and numbers.30% of the passwords used numbers, with \u201c1\u201d as the most commonly used numeral.A mere 6% bothered to include special characters. H\u00fd\u017ea found that the following special characters were not used at all: ,\u00a0 =\u00a0 ~\u00a0 |\u00a0 [\u00a0 ]Size does matter; don\u2019t believe it if anyone tells you otherwise. The average password length for hackers was 6 characters. Only 52 passwords were longer than 12 characters.Roughly 10% of hackers\u2019 passwords were strong enough that they couldn\u2019t be cracked. One of the good ones was 75 characters long; others were in passphrases \u2013 in sentence form, mixed with special characters like \u201clol dont try cracking 12 char+\u201d \u2026 but sadly it was stored in plain text.H\u00fd\u017ea wrote:By now, you may be wondering what password hackers use the most. There was lot of variations of the word pass and root and also hax was used many times, but if I omit one common 4-letter word, the most frequently used word in this dictionary is hack. It is worth mentioning that many PHP shells I analyzed had only default passwords like r57, c99, password or yourpass.Several of the passwords contained leet speak. You can read this \u2013 L337, L33T, 1337 \u2013 you know you can. So if you are determined to stick with \u201cpassword\u201d as your password, then at least leet speak it such as: P@5$W0rD5, p455\/\/0RD, P@$$VV0Rd. Need help with your leet-speak password? Try these converters:\u00a0 English to HaXor, L337 converter, or Universal Leet. Better yet, use phrases, because as the Avast analysis shows, h@ck3R$ PIck P@7h37iC p@$sw0rd5 jU$7 lIk3 3V3ry0n3 3L53 (hackers pick pathetic passwords just like everyone else).