Back when I wrote Perfect Passwords, I generated a list of the top 500 worst (aka most common) passwords which seems to have propagated quite a bit across the internet, including being mentioned on GizomodoBoing Boing, SymantecLaughing Squid and many other sites. Since then I have collected a large number of new passwords bringing my current list to about 6,000,000 unique username/password combos, including many of those that have been recently made public*.

At some point I will make this full data set publicly available but in the meantime, I have decided to release the following list of the top 10,000 most common passwords. This list is ranked by counting how many different usernames appear on my list with the same password. Note that for this list, I do not take capitalization into consideration when matching passwords so this list has been converted to all lowercase letters. What is interesting here is that in my current sample data, this list of the 10,000 most common passwords represents 99.8% of all user passwords.

Here are the files:

10,000 Most Common Passwords List
10,000 Most Common Passwords with Frequency

While many people have improved the security and strength of their passwords, there are still a huge number of people who pick from a very small list of common passwords. In fact, 91% of all user passwords sampled all appear on the list of just the top 1,000 passwords.

The following graph illustrates how often users select common passwords (click for larger):

Passwords Frequency

What is interesting here is how fast that curve drops from the top password (which is password). In other words, as you go down the list of top passwords, the number of users that select that password drops dramatically.

Here are some interesting facts gleaned from my most recent data:

  • 4.7% of users have the password password;
  • 8.5% have the passwords password or 123456;
  • 9.8% have the passwords password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1000 passwords

Of course, a chart only means so much, so here is the data for the top 500 passwords show as a tag cloud (click for larger):

It is important to point out that although the top 10,000 passwords are used by 98.8% of all users, there are 2,342,603 (that’s 99.6%) unique passwords remaining that are in use by only .18% of users!

So how does the new top 500 list compare to my old top 500 list? Here is a visual diff that shows how it has changed.

 

* Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.

Creative Commons License
This work by Mark Burnett is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

You may use the Top 10,000 Passwords List, the Top Passwords Tag Cloud or any portion of this article (including commercial use) with attribution to Mark Burnett (xato.net).

Tags: , , , , , , , , , , ,



Yubikey Token        LastPass password manager