10,000 Top Passwords
If you came here looking for 10,000 passwords, you probably want to look at this newer article where you can find 10 million passwords.
Back when I wrote Perfect Passwords, I generated a list of the top 500 worst (aka most common) passwords which seems to have propagated quite a bit across the internet, including being mentioned on Gizomodo, Boing Boing, Symantec, Laughing Squid and many other sites. Since then I have collected a large number of new passwords bringing my current list to about 6.5 million unique username/password combos, including many of those that have been recently made public*.
At some point I will make this full data set publicly available but in the meantime, I have decided to release the following list of the top 10,000 most common passwords. This list is ranked by counting how many different usernames appear on my list with the same password. Note that for this list, I do not take capitalization into consideration when matching passwords so this list has been converted to all lowercase letters.
Here are the files:
While many people have improved the security and strength of their passwords, there are still a huge number of people who pick from a very small list of common passwords. In fact, 40% of all passwords appear in the top 100 list.
Here are some interesting facts gleaned from my most recent data:
- 0.5% of users have the password password;
- 0.4% have the passwords password or 123456;
- 0.9% have the passwords password, 123456 or 12345678;
- 1.6% have a password from the top 10 passwords
- 4.4% have a password from the top 100 passwords
- 9.7% have a password from the top 500 passwords
- 13.2% have a password from the top 1,000 passwords
- 30% have a password from the top 10,000 passwords
So how does the new top 500 list compare to my old top 500 list? Here is a visual diff that shows how it has changed.
You may use the Top 10,000 Passwords List, the Top Passwords Tag Cloud or any portion of this article (including commercial use) with attribution to Mark Burnett (xato.net). A higher-resolution pdf of the password cloud is available here.
* Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.
This work by Mark Burnett is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.