10,000 Top Passwords
Back when I wrote Perfect Passwords, I generated a list of the top 500 worst (aka most common) passwords which seems to have propagated quite a bit across the internet, including being mentioned on Gizomodo, Boing Boing, Symantec, Laughing Squid and many other sites. Since then I have collected a large number of new passwords bringing my current list to about 6,000,000 unique username/password combos, including many of those that have been recently made public*.
At some point I will make this full data set publicly available but in the meantime, I have decided to release the following list of the top 10,000 most common passwords. This list is ranked by counting how many different usernames appear on my list with the same password. Note that capitalization is not taken into consideration when matching passwords so this list has been converted to all lowercase letters. What is interesting here is that in my current sample data, this list of the 10,000 most common passwords represents 99.8% of all user passwords.
Here are the files:
10,000 Most Common Passwords List
10,000 Most Common Passwords with Frequency
While many people have improved the security and strength of their passwords, there are still a huge number of people who pick from a very small list of common passwords. In fact, 91% of all user passwords sampled all appear on the list of just the top 1,000 passwords.
The following graph illustrates how often users select common passwords (click for larger):
What is interesting here is how fast that curve drops from the top password (which is password). In other words, as you go down the list of top passwords, the number of users that select that password drops dramatically.
Here are some interesting facts gleaned from my most recent data:
- 4.7% of users have the password password;
- 8.5% have the passwords password or 123456;
- 9.8% have the passwords password, 123456 or 12345678;
- 14% have a password from the top 10 passwords
- 40% have a password from the top 100 passwords
- 79% have a password from the top 500 passwords
- 91% have a password from the top 1000 passwords
Of course, a chart only means so much, so here is the data for the top 500 passwords show as a tag cloud (click for larger):
It is important to point out that although the top 10,000 passwords are used by 98.8% of all users, there are 2,342,603 (that’s 99.6%) unique passwords remaining that are in use by only .18% of users!
So how does the new top 500 list compare to my old top 500 list? Here is a visual diff that shows how it has changed.
* Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.
| 2342603 |
You can leave a response, or trackback from your own site.
Would you consider making a high resolution version of the tag cloud available? I’m in IT and I think that would make a great piece of art for my office!
Here is a higher resolution PDF version.
Hi Mark,
Would you mind if I used your 10,000 passwords list on an updated version of How Secure Is My Password that’s currently in the works? It would be great to have a slightly better dictionary check, as it doesn’t do one at all at the moment and some users go away with the impression that their long but obvious password is very secure.
Thanks,
Mark
Great article. Got myself a copy of the top passwords which I’ll use as a way to prevent people from using them on future important sites.
Thanks for sharing this – I really like that tag cloud.
Just an observation: to be fair this is very much determined by culture – i.e. password is ‘probably’ not that common in, for example, Spain/Spanish cultures – but the translated equivalent may be.
Apologies if I am stating the obvious here, but I would suggest that your analysis only applies to anglo-saxon users. Your next project may be to take culture into account :) and see if and how the translated equivalents are used in other World regions and countries.
My assumption would be that number-passwords (e.g. 12345) may just be international.
Thanks,
B
Remember the old “Where is the ANY KEY?” That was not a joke there really were people who asked. When people are told to select a “password” some of them do just that. Select “password”. And some of course are just lazy.
It should not be called “password”. That sets up a mind set that it should be a word. Most people recognize PIN as Personal Identification Number why not PIP as Personal Identification Phrase. Please take not of the word PHRASE.
Here is a sample: Me&thee&ourdog makes3 Actually the person who uses that phrase uses real names.
Of course fat chance of getting the whole industry to change from password to any other form of describing what is needed.
Thanks this has been something I’ve wanted to share for a long time.
very nice article and analisis
I find it incredibly hard to believe that ‘films+pic+galeries’ (complete with the misspelling) ranks so highly. (It ranks higher than ’012345′, for example.) It feels to me like a flaw in your data set. Do you have any explanation for its prominence?
Due to the automated nature of collecting passwords sometimes you do get anomalies like that. I have some tests that normally catch things like that but somehow this one got through. The data definitely is not perfect but as the data set grows little anomalies like this become less and less significant.
Well said, Bluie. The term “Password” should be renamed! Also, the top 1000+ passwords should be banned on major websites along with a nice explanation about how to create better passwords.
Could you post a link to the top 10,000 lists on a host other than FileSonic? FileSonic has disabled sharing capabilities after the whole MegaUpload fiasco.
wow! amazing research…
This is the top 10.
>Pussy
>1234
>12345
>123456
>12345678
>Baseball
>Football
>Password
>Qwerty
>Dragon