Earlier this year we saw massive password databases released onto the dark web. These databases were more extensive than any of the databases leaked before. In January a password database called Collection#1 was released containing millions of passwords. A few weeks later, an even bigger collection was leaked onto the dark web. The collection consisted of several volumes, collectively known as Collection#2-Collection#5.
Finding the collections at the time of the leak was challenging. The team at Crimson Wall managed to locate and download the collections (via torrents). We waited patiently for weeks for the torrent downloads to complete. Finally, after the downloads completed, we could inspect all the password collections (Collection#1-Collection#5).
Initial inspection of the collections revealed that the dumps were as bad as everyone feared. The dumps contained millions of plaintext passwords and password hashes (that anyone can de-hash using hashcat). These dumps seem to have been obtained by hacking websites and then dumping the user credentials. The collections each consist of thousands of files. The files and directories are named appropriately to indicate the origin of the dumped credentials. The dumps also contained usernames and password stolen from various South African websites. To protect the identity of the compromised websites, we’ll only show a rough calculation performed to count the amount of .co.za websites in the dumps.
The estimate indicates that roughly 73 .co.za domains were compromised. During investigations, we found that some dumps files were duplicated among the collections. For this reason, we’ll call this number an “estimate” – please don’t quote us on this.
Interesting collection facts
The password collections consist of thousands of text files. Some text files contain plaintext passwords, while others contain hashed passwords. In some text files it’s obvious if the password is hashed or not, but in others, it’s not the case. We created a python script that used hashid to find and extract passwords that are in plaintext format.
All passwords identified to be in plaintext format were added to a list. The list was sorted according to popularity, thereby giving us a list of the most common (plaintext/de-hashed) passwords found in the password dumps. The table below shows the 1000 most popular plaintext passwords found in all the password collections:
| Popularity | Count | Password |
|---|---|---|
| 1 | 162271151 | 123456 |
| 2 | 81161255 | 123456789 |
| 3 | 50286117 | qwerty |
| 4 | 44723501 | password |
| 5 | 32194815 | 12345 |
| 6 | 29162633 | 12345678 |
| 7 | 20735847 | qwerty123 |
| 8 | 19961463 | 111111 |
| 9 | 18924491 | 1q2w3e |
| 10 | 18859579 | 1234567890 |
| 11 | 17921947 | 1234567 |
| 12 | 17316581 | 123123 |
| 13 | 14749948 | abc123 |
| 14 | 14512613 | DEFAULT |
| 15 | 13245586 | 0 |
| 16 | 12155203 | password1 |
| 17 | 11157483 | 10pace |
| 18 | 10659740 | qwertyuiop |
| 19 | 10084574 | 1q2w3e4r5t |
| 20 | 10025032 | iloveyou |
| 21 | 8793330 | 1234 |
| 22 | 8190391 | 123321 |
| 23 | 7349937 | dragon |
| 24 | 7056228 | 654321 |
| 25 | 6772443 | 1q2w3e4r |
| 26 | 6694680 | 666666 |
| 27 | 6661032 | monkey |
| 28 | 6616567 | 1qaz2wsx |
| 29 | 6600247 | 123 |
| 30 | 6446201 | 30media |
| 31 | 6149569 | qwe123 |
| 32 | 5719739 | 123456a |
| 33 | 5381150 | 123qwe |
| 34 | 5308866 | 7777777 |
| 35 | 5291952 | 59trick |
| 36 | 5273908 | 987654321 |
| 37 | 5170294 | 121212 |
| 38 | 4934801 | zxcvbnm |
| 39 | 4859369 | 123123123 |
| 40 | 4793977 | 24crow |
| 41 | 4783104 | 59mile |
| 42 | 4739760 | '' |
| 43 | 4732863 | 19weed |
| 44 | 4458823 | 555555 |
| 45 | 4401828 | asdfghjkl |
| 46 | 4296906 | qazwsx |
| 47 | 4164692 | 112233 |
| 48 | 4016714 | 1234qwer |
| 49 | 3987057 | asdasd |
| 50 | 3982445 | 159753 |
| 51 | 3905531 | 66bob |
| 52 | 3866656 | qwert |
| 53 | 3840578 | q1w2e3r4t5y6 |
| 54 | 3728419 | 222222 |
| 55 | 3707637 | target123 |
| 56 | 3694778 | tinkle |
| 57 | 3600247 | 1g2w3e4r |
| 58 | 3595374 | gwerty |
| 59 | 3593113 | fuckyou |
| 60 | 3587071 | zag12wsx |
| 61 | 3582321 | gwerty123 |
| 62 | 3540433 | qwerty1 |
| 63 | 3489587 | a123456 |
| 64 | 3376386 | 11111111 |
| 65 | 3348897 | princess |
| 66 | 3299426 | computer |
| 67 | 3282675 | football |
| 68 | 3240534 | 123abc |
| 69 | 3102853 | q1w2e3r4 |
| 70 | 3092484 | )ryan |
| 71 | 3074295 | asdfgh |
| 72 | 3071445 | 789456123 |
| 73 | 3035166 | yuantuo2012 |
| 74 | 3009320 | azerty |
| 75 | 2966381 | michael |
| 76 | 2962458 | myspace1 |
| 77 | 2938483 | killer |
| 78 | 2908839 | 123654 |
| 79 | 2907985 | 1qaz2wsx3edc |
| 80 | 2903508 | 777777 |
| 81 | 2843965 | shadow |
| 82 | 2834031 | Password |
| 83 | 2824955 | 0.00000000 |
| 84 | 2808161 | homelesspa |
| 85 | 2793713 | daniel |
| 86 | 2785732 | qwer1234 |
| 87 | 2779782 | sunshine |
| 88 | 2767450 | aaaaaa |
| 89 | 2758110 | master |
| 90 | 2669805 | superman |
| 91 | 2657198 | 123456789a |
| 92 | 2622041 | j38ifUbn |
| 93 | 2573215 | 88888888 |
| 94 | 2570529 | 12qwaszx |
| 95 | 2565571 | samsung |
| 96 | 2558425 | ashley |
| 97 | 2558219 | pokemon |
| 98 | 2518254 | 999999 |
| 99 | 2494669 | abcd1234 |
| 100 | 2438469 | 1234561 |
| 101 | 2435142 | 3rJs1la7qE |
| 102 | 2425408 | baseball |
| 103 | 2392712 | qazwsxedc |
| 104 | 2377372 | gfhjkm |
| 105 | 2276582 | 123456789 |
| 106 | 2263030 | q1w2e3r4t5 |
| 107 | 2254882 | 12345a |
| 108 | 2249999 | liverpool |
| 109 | 2247947 | jessica |
| 110 | 2246712 | 987654321 |
| 111 | 2240330 | 147258369 |
| 112 | 2228740 | 123456q |
| 113 | 2226527 | asd123 |
| 114 | 2214490 | qweasdzxc |
| 115 | 2203892 | thomas |
| 116 | 2197754 | !ab#cd$ |
| 117 | 2192358 | soccer |
| 118 | 2186068 | charlie |
| 119 | 2124225 | 11111 |
| 120 | 2121647 | jordan |
| 121 | 2106886 | 159357 |
| 122 | 2103925 | naruto |
| 123 | 2079917 | 789456 |
| 124 | 2072460 | x4ivygA51F |
| 125 | 2064460 | zxcvbn |
| 126 | 2047571 | Sojdlg123aljg |
| 127 | 2040289 | 888888 |
| 128 | 2036975 | FQRG7CS493 |
| 129 | 2002755 | 131313 |
| 130 | 1992366 | 12341234 |
| 131 | 1988973 | 3Odi15ngxB |
| 132 | 1982818 | 12344321 |
| 133 | 1981397 | michelle |
| 134 | 1977203 | 1111111 |
| 135 | 1934770 | 333333 |
| 136 | 1925118 | 987654 |
| 137 | 1896870 | starwars |
| 138 | 1892893 | fuk19600 |
| 139 | 1885597 | blink182 |
| 140 | 1876817 | qweqwe |
| 141 | 1871159 | 1111 |
| 142 | 1863400 | iloveyou1 |
| 143 | 1862677 | andrew |
| 144 | 1858762 | nicole |
| 145 | 1832699 | 0 |
| 146 | 1824917 | 1qazxsw2 |
| 147 | 1821939 | 12345678910 |
| 148 | 1821097 | hunter |
| 149 | 1801790 | jennifer |
| 150 | 1798392 | anthony |
| 151 | 1792665 | asdf1234 |
| 152 | 1790868 | qwe |
| 153 | 1778256 | joshua |
| 154 | 1773838 | trustno1 |
| 155 | 1761991 | 102030 |
| 156 | 1751798 | internet |
| 157 | 1748500 | justin |
| 158 | 1745909 | lol123 |
| 159 | 1727766 | letmein |
| 160 | 1721328 | welcome |
| 161 | 1707908 | jordan23 |
| 162 | 1700585 | secret |
| 163 | 1697923 | princess1 |
| 164 | 1691955 | fuckyou1 |
| 165 | 1689179 | 1111111111 |
| 166 | 1688010 | 12345qwert |
| 167 | 1684786 | qwerty12 |
| 168 | 1662012 | tigger |
| 169 | 1661001 | andrea |
| 170 | 1653451 | marina |
| 171 | 1651673 | 101010 |
| 172 | 1651599 | robert |
| 173 | 1647396 | Status |
| 174 | 1642400 | 1 |
| 175 | 1632103 | love |
| 176 | 1606473 | hello |
| 177 | 1601689 | lovely |
| 178 | 1594622 | football1 |
| 179 | 1592994 | freedom |
| 180 | 1589050 | batman |
| 181 | 1586860 | alexander |
| 182 | 1585483 | 10203 |
| 183 | 1575224 | michael1 |
| 184 | 1574283 | a12345 |
| 185 | 1571610 | purple |
| 186 | 1565321 | |
| 187 | 1562355 | qwertyui |
| 188 | 1561739 | hannah |
| 189 | 1558651 | william |
| 190 | 1558650 | matthew |
| 191 | 1551560 | buster |
| 192 | 1547017 | qweasd |
| 193 | 1535871 | passw0rd |
| 194 | 1532407 | 147258 |
| 195 | 1528406 | chelsea |
| 196 | 1507363 | 696969 |
| 197 | 1506650 | chocolate |
| 198 | 1499845 | parola |
| 199 | 1498360 | 123654789 |
| 200 | 1492014 | asdf |
| 201 | 1484458 | changeme |
| 202 | 1475990 | q1w2e3 |
| 203 | 1474755 | matrix |
| 204 | 1471205 | 123qweasd |
| 205 | 1469694 | a838hfiD |
| 206 | 1467096 | pakistan |
| 207 | 1467064 | mustang |
| 208 | 1463714 | 1234554321 |
| 209 | 1453426 | samantha |
| 210 | 1451827 | love123 |
| 211 | 1444796 | babygirl |
| 212 | 1443977 | george |
| 213 | 1439874 | 87654321 |
| 214 | 1439761 | asdasd123 |
| 215 | 1437194 | martin |
| 216 | 1436920 | nikita |
| 217 | 1434400 | 147852369 |
| 218 | 1432558 | 11223344 |
| 219 | 1424665 | forever |
| 220 | 1424656 | cookie |
| 221 | 1422384 | cheese |
| 222 | 1415958 | flower |
| 223 | 1413340 | amanda |
| 224 | 1409874 | zaq12wsx |
| 225 | 1408603 | whatever |
| 226 | 1404178 | 1q2w3e4r5t6y |
| 227 | 1403993 | 1234567891 |
| 228 | 1403551 | monkey1 |
| 229 | 1399558 | summer |
| 230 | 1394389 | arsenal |
| 231 | 1386565 | patrick |
| 232 | 1386203 | 1v7Upjw3nT |
| 233 | 1380166 | basketball |
| 234 | 1365527 | d2Xyw89sxJ |
| 235 | 1365122 | friends |
| 236 | 1363521 | mother |
| 237 | 1357129 | pepper |
| 238 | 1354691 | butterfly |
| 239 | 1352085 | loveme |
| 240 | 1348717 | maggie |
| 241 | 1340714 | orange |
| 242 | 1330516 | super123 |
| 243 | 1326892 | 12345q |
| 244 | 1315331 | junior |
| 245 | 1315051 | 5201314 |
| 246 | 1313760 | eminem |
| 247 | 1310646 | snoopy |
| 248 | 1307578 | xbox360 |
| 249 | 1306746 | harley |
| 250 | 1305713 | minecraft |
| 251 | 1304670 | jonathan |
| 252 | 1300710 | ghbdtn |
| 253 | 1297942 | 741852963 |
| 254 | 1293158 | mercedes |
| 255 | 1291853 | 212121 |
| 256 | 1288250 | london |
| 257 | 1283195 | mynoob |
| 258 | 1280202 | jasmine |
| 259 | 1280170 | 232323 |
| 260 | 1275665 | 147852 |
| 261 | 1269543 | benjamin |
| 262 | 1264296 | joseph |
| 263 | 1261152 | jesus1 |
| 264 | 1260528 | diamond |
| 265 | 1260285 | asshole |
| 266 | 1257215 | asdfasdf |
| 267 | 1255059 | iloveu |
| 268 | 1252988 | sophie |
| 269 | 1251698 | 123456789q |
| 270 | 1250787 | family |
| 271 | 1249869 | ginger |
| 272 | 1245233 | banana |
| 273 | 1242418 | qwerty12345 |
| 274 | 1242087 | golfer |
| 275 | 1236889 | metallica |
| 276 | 1231819 | qwertyu |
| 277 | 1220899 | melissa |
| 278 | 1219799 | hello123 |
| 279 | 1218396 | charlie1 |
| 280 | 1217606 | slipknot |
| 281 | 1217366 | hello1 |
| 282 | 1217310 | qazxsw |
| 283 | 1210860 | oliver |
| 284 | 1210435 | 123qweasdzxc |
| 285 | 1209433 | brandon |
| 286 | 1208066 | loveyou |
| 287 | 1202997 | taylor |
| 288 | 1202583 | monster |
| 289 | 1201150 | sandra |
| 290 | 1190934 | aa123456 |
| 291 | 1186333 | qqqqqq |
| 292 | 1180282 | abcdef |
| 293 | 1179454 | 55555 |
| 294 | 1178598 | qwaszx |
| 295 | 1175545 | '' |
| 296 | 1170428 | jessica1 |
| 297 | 1169870 | 111222 |
| 298 | 1168832 | a123456789 |
| 299 | 1166836 | chicken |
| 300 | 1166761 | juventus |
| 301 | 1165911 | silver |
| 302 | 1165582 | barcelona |
| 303 | 1164691 | 4815162342 |
| 304 | 1163063 | nathan |
| 305 | 1161060 | babygirl1 |
| 306 | 1158927 | spiderman |
| 307 | 1156240 | ferrari |
| 308 | 1154813 | victoria |
| 309 | 1150390 | N0=Acc3ss |
| 310 | 1150020 | adidas |
| 311 | 1149228 | christian |
| 312 | 1148020 | 123789 |
| 313 | 1146613 | richard |
| 314 | 1145421 | abcdefg |
| 315 | 1144482 | angel1 |
| 316 | 1139378 | iloveyou2 |
| 317 | 1137528 | loulou |
| 318 | 1134497 | password123 |
| 319 | 1131664 | 3d8Cubaj2E |
| 320 | 1130625 | mickey |
| 321 | 1130303 | jjcG16dj5K |
| 322 | 1129851 | xxxxxx |
| 323 | 1119265 | Password1 |
| 324 | 1117344 | 444444 |
| 325 | 1114721 | gabriel |
| 326 | 1111178 | yellow |
| 327 | 1110018 | hockey |
| 328 | 1108386 | 999999999 |
| 329 | 1105525 | 456789 |
| 330 | 1104039 | angel |
| 331 | 1098773 | antonio |
| 332 | 1098121 | anthony1 |
| 333 | 1097772 | 0 |
| 334 | 1097374 | fuckoff |
| 335 | 1096088 | cocacola |
| 336 | 1095374 | VQsaBLPzLa |
| 337 | 1095091 | fuckyou2 |
| 338 | 1094307 | 1029384756 |
| 339 | 1092484 | bailey |
| 340 | 1092479 | natasha |
| 341 | 1089991 | uQA9Ebw445 |
| 342 | 1086659 | 123qwe123 |
| 343 | 1086547 | nirvana |
| 344 | 1083157 | superman1 |
| 345 | 1078336 | prince |
| 346 | 1071516 | angela |
| 347 | 1066521 | carlos |
| 348 | 1065967 | baseball1 |
| 349 | 1061901 | career121 |
| 350 | 1061475 | peanut |
| 351 | 1048636 | alexis |
| 352 | 1046085 | vanessa |
| 353 | 1043455 | school |
| 354 | 1043131 | samuel |
| 355 | 1038524 | nicolas |
| 356 | 1036172 | 0 |
| 357 | 1031328 | P3Rat54797 |
| 358 | 1030124 | doudou |
| 359 | 1025443 | 456123 |
| 360 | 1022938 | rainbow |
| 361 | 1022863 | qazwsx123 |
| 362 | 1021247 | 252525 |
| 363 | 1018326 | ronaldo |
| 364 | 1017133 | liverpool1 |
| 365 | 1015160 | Exigent |
| 366 | 1011273 | lovers |
| 367 | 1007670 | angels |
| 368 | 1003348 | 123456 |
| 369 | 1002938 | morgan |
| 370 | 992378 | mylove |
| 371 | 987379 | a1b2c3d4 |
| 372 | 986496 | hahaha |
| 373 | 986448 | austin |
| 374 | 985529 | elizabeth |
| 375 | 983395 | sunshine1 |
| 376 | 981390 | pokemon1 |
| 377 | 980709 | jackson |
| 378 | 979560 | D1lakiss |
| 379 | 977892 | apple |
| 380 | 974733 | bubbles |
| 381 | 973928 | iG4abOX4 |
| 382 | 973604 | america |
| 383 | 972770 | steven |
| 384 | 970165 | bandit |
| 385 | 949751 | Groupd2013 |
| 386 | 949247 | g9l2d1fzPY |
| 387 | 948988 | 12121212 |
| 388 | 947789 | scorpion |
| 389 | 947301 | nicholas |
| 390 | 946847 | madison |
| 391 | 946249 | 1234567a |
| 392 | 941443 | stella |
| 393 | 940104 | stalker |
| 394 | 939627 | 852456 |
| 395 | 939346 | scooter |
| 396 | 935054 | zzzzzz |
| 397 | 933620 | yamaha |
| 398 | 931549 | password12 |
| 399 | 930123 | 7654321 |
| 400 | 929275 | diablo |
| 401 | 925542 | 142536 |
| 402 | 920736 | number1 |
| 403 | 918611 | password2 |
| 404 | 915702 | soleil |
| 405 | 913779 | victor |
| 406 | 913178 | W5tXn36alfW |
| 407 | 912860 | money1 |
| 408 | 909489 | 50cent |
| 409 | 907662 | soccer1 |
| 410 | 906984 | danielle |
| 411 | 904380 | asshole1 |
| 412 | 903053 | sabrina |
| 413 | 902082 | cjmasterinf |
| 414 | 899695 | phoenix |
| 415 | 898953 | welcome1 |
| 416 | 898655 | 159951 |
| 417 | 897093 | 123456123 |
| 418 | 895278 | thunder |
| 419 | 893616 | valentina |
| 420 | 891033 | NULL |
| 421 | 891004 | tennis |
| 422 | 889650 | 1234abcd |
| 423 | 889574 | SZ9kQcCTwY |
| 424 | 885890 | 111 |
| 425 | 883694 | matthew1 |
| 426 | 882826 | 290966 |
| 427 | 881397 | wall.e |
| 428 | 880134 | DIOSESFIEL |
| 429 | 879861 | abc |
| 430 | 878100 | lauren |
| 431 | 876183 | tudelft |
| 432 | 875619 | canada |
| 433 | 874886 | 0 |
| 434 | 871005 | U38fa39 |
| 435 | 869683 | dpbk1234 |
| 436 | 868243 | qaz123 |
| 437 | 867380 | zxc123 |
| 438 | 866737 | a |
| 439 | 865668 | vincent |
| 440 | 865161 | -> |
| 441 | 864214 | 98765 |
| 442 | 863728 | klaster |
| 443 | 861696 | bitch1 |
| 444 | 860664 | PE#5GZ29PTZMSE |
| 445 | 860271 | destiny |
| 446 | 859948 | qwerty123456 |
| 447 | 858731 | rachel |
| 448 | 858359 | casper |
| 449 | 855792 | dennis |
| 450 | 854043 | jasper |
| 451 | 853650 | edward |
| 452 | 853621 | spider |
| 453 | 850261 | alexandra |
| 454 | 848806 | smokey |
| 455 | 847555 | merlin |
| 456 | 844943 | computer1 |
| 457 | 844381 | sergey |
| 458 | 843811 | shadow1 |
| 459 | 843156 | brandon1 |
| 460 | 842011 | 123asd |
| 461 | 841738 | chester |
| 462 | 841369 | lalala |
| 463 | 840517 | 6V21wbgad |
| 464 | 840027 | caroline |
| 465 | 838734 | ! |
| 466 | 838530 | monica |
| 467 | 836436 | 666 |
| 468 | 835067 | 124578 |
| 469 | 833303 | sebastian |
| 470 | 831288 | booboo |
| 471 | 829658 | patricia |
| 472 | 827821 | red123 |
| 473 | 822186 | darkness |
| 474 | 822080 | barbie |
| 475 | 821228 | adrian |
| 476 | 818128 | 134679 |
| 477 | 817645 | 1122334455 |
| 478 | 816814 | william1 |
| 479 | 816038 | november |
| 480 | 815414 | dragon1 |
| 481 | 814717 | midnight |
| 482 | 813599 | 123hfjdk147 |
| 483 | 812196 | 753951 |
| 484 | 811539 | passwort |
| 485 | 811066 | 1234512345 |
| 486 | 810358 | sakura |
| 487 | 807087 | 421uiopy258 |
| 488 | 806999 | 135790 |
| 489 | 805711 | jeremy |
| 490 | 805527 | asdasdasd |
| 491 | 805097 | creative |
| 492 | 805004 | heather |
| 493 | 804123 | xxx |
| 494 | 802240 | 123456abc |
| 495 | 801101 | playboy |
| 496 | 800754 | lollol |
| 497 | 792056 | asdfghjk |
| 498 | 791262 | friend |
| 499 | 791154 | tinkerbell |
| 500 | 790691 | johnny |
| 501 | 786324 | 1qaz@WSX |
| 502 | 785580 | nothing |
| 503 | 783943 | ashley1 |
| 504 | 783610 | rebecca |
| 505 | 783442 | poop |
| 506 | 781482 | fucker |
| 507 | 779523 | Tnk0Mk16VX |
| 508 | 777802 | louise |
| 509 | 777242 | olivia |
| 510 | 777205 | qazqaz |
| 511 | 775960 | lovelove |
| 512 | 772187 | guitar |
| 513 | 771007 | 1a2b3c4d |
| 514 | 770984 | a1b2c3 |
| 515 | 770820 | elephant |
| 516 | 766942 | spongebob |
| 517 | 765447 | december |
| 518 | 764961 | user |
| 519 | 764856 | charles |
| 520 | 763856 | jordan1 |
| 521 | 762285 | 12345678a |
| 522 | 760151 | dakota |
| 523 | 760008 | logitech |
| 524 | 759556 | jesus |
| 525 | 759249 | manchester |
| 526 | 758851 | andrey |
| 527 | 758768 | cameron |
| 528 | 758078 | success |
| 529 | 756495 | maverick |
| 530 | 756162 | genius |
| 531 | 756121 | azertyuiop |
| 532 | 753586 | david |
| 533 | 753321 | 9876543210 |
| 534 | 753148 | iw14Fi9j |
| 535 | 752836 | marseille |
| 536 | 751766 | chelsea1 |
| 537 | 750712 | qwert123 |
| 538 | 750574 | hellokitty |
| 539 | 748061 | kristina |
| 540 | 745529 | windows |
| 541 | 745351 | veronica |
| 542 | 744726 | chris1 |
| 543 | 742692 | fuckme |
| 544 | 742011 | 10101 |
| 545 | 738916 | hotmail |
| 546 | 737828 | jasmine1 |
| 547 | 737749 | dolphin |
| 548 | 736947 | YAgjecc826 |
| 549 | 734254 | 741852 |
| 550 | 733176 | sweety |
| 551 | 733099 | awesome |
| 552 | 732323 | michelle1 |
| 553 | 731578 | 55555555 |
| 554 | 729209 | warcraft |
| 555 | 728930 | anhyeuem |
| 556 | 727953 | nicole1 |
| 557 | 727576 | dallas |
| 558 | 727058 | a1234567 |
| 559 | 725985 | yankees |
| 560 | 725630 | compaq |
| 561 | 725396 | hardcore |
| 562 | 723782 | 123456s |
| 563 | 722396 | qwerty1234 |
| 564 | 721771 | marlboro |
| 565 | 721562 | scooby |
| 566 | 721178 | killer1 |
| 567 | 721093 | carolina |
| 568 | 720748 | Bajaonel12 |
| 569 | 720542 | crystal |
| 570 | 720092 | love12 |
| 571 | 719502 | pretty |
| 572 | 718683 | qwert12345 |
| 573 | 718141 | aaaaaaaa |
| 574 | 717339 | garfield |
| 575 | 717113 | hallo123 |
| 576 | 715596 | apples |
| 577 | 715326 | sparky |
| 578 | 714771 | daniel1 |
| 579 | 714572 | 951753 |
| 580 | 713897 | chicken1 |
| 581 | 713517 | swordfish |
| 582 | 713322 | charlotte |
| 583 | 712725 | nintendo |
| 584 | 712226 | happy1 |
| 585 | 712095 | portugal |
| 586 | 710030 | cristina |
| 587 | 709661 | Indya123 |
| 588 | 707765 | winner |
| 589 | 705896 | 29rsavoy |
| 590 | 704018 | camille |
| 591 | 703406 | 123123a |
| 592 | 702052 | newyork |
| 593 | 701516 | badboy |
| 594 | 701373 | melanie |
| 595 | 700366 | stephanie |
| 596 | 699643 | daniela |
| 597 | 699565 | lucky1 |
| 598 | 697303 | 456456 |
| 599 | 696051 | shannon |
| 600 | 693755 | test123 |
| 601 | 693353 | winston |
| 602 | 692741 | myspace |
| 603 | 691695 | tigers |
| 604 | 690973 | toyota |
| 605 | 690622 | twilight |
| 606 | 689907 | cooper |
| 607 | 689284 | paSSword |
| 608 | 688049 | freedom1 |
| 609 | 686273 | leonardo |
| 610 | 684692 | fylhtq |
| 611 | 684630 | jessie |
| 612 | 684584 | 123454321 |
| 613 | 684156 | manuel |
| 614 | 684002 | september |
| 615 | 682732 | 123456qwe |
| 616 | 680790 | 963852741 |
| 617 | 680736 | 0 |
| 618 | 679810 | marine |
| 619 | 678796 | 123456m |
| 620 | 678041 | beautiful |
| 621 | 677460 | 123456aa |
| 622 | 677115 | slayer |
| 623 | 676915 | popcorn |
| 624 | 676398 | qqww1122 |
| 625 | 673677 | 321321 |
| 626 | 672671 | inuyasha |
| 627 | 672632 | gemini |
| 628 | 672305 | zxcvbnm1 |
| 629 | 670782 | hunter1 |
| 630 | 670130 | motorola |
| 631 | 669011 | muffin |
| 632 | 668943 | 246810 |
| 633 | 668934 | tweety |
| 634 | 666577 | nks230kjs82 |
| 635 | 662472 | lakers |
| 636 | 661244 | claudia |
| 637 | 660134 | Gmail |
| 638 | 656110 | rangers |
| 639 | 656042 | heaven |
| 640 | 654605 | ranger |
| 641 | 653853 | 77777777 |
| 642 | 653652 | vfhbyf |
| 643 | 653463 | chocolate1 |
| 644 | 653049 | testing |
| 645 | 652971 | 202020 |
| 646 | 652745 | peaches |
| 647 | 651893 | vfrcbv |
| 648 | 651203 | isabelle |
| 649 | 650912 | 110110jp |
| 650 | 650823 | cherry |
| 651 | 650655 | nastya |
| 652 | 650624 | lolita |
| 653 | 648854 | chouchou |
| 654 | 648676 | greenday |
| 655 | 648196 | jackie |
| 656 | 647907 | 151515 |
| 657 | 646771 | angelina |
| 658 | 646431 | albert |
| 659 | 646354 | |
| 660 | 646286 | money |
| 661 | 646264 | qwerasdf |
| 662 | 645285 | poohbear |
| 663 | 644542 | james1 |
| 664 | 644380 | samson |
| 665 | 644277 | flowers |
| 666 | 644130 | alex |
| 667 | 643442 | andrew1 |
| 668 | 643214 | fktrcfylh |
| 669 | 642723 | pass123 |
| 670 | 640609 | karina |
| 671 | 639960 | steelers |
| 672 | 639907 | 54321 |
| 673 | 639708 | 1123581321 |
| 674 | 639451 | 1a2b3c |
| 675 | 639144 | mustang1 |
| 676 | 638640 | lol |
| 677 | 638103 | passer2009 |
| 678 | 637431 | tiffany |
| 679 | 636995 | rabbit |
| 680 | 636984 | bonjour |
| 681 | 636209 | dIWtgm8492 |
| 682 | 635851 | kitten |
| 683 | 635474 | police |
| 684 | 634315 | 123321123 |
| 685 | 633734 | jennifer1 |
| 686 | 633553 | asdfjkl |
| 687 | 632655 | sasuke |
| 688 | 631162 | dexter |
| 689 | 630566 | angelo |
| 690 | 630432 | winter |
| 691 | 629686 | boomer |
| 692 | 628952 | hiphop |
| 693 | 627850 | scorpio |
| 694 | 627718 | precious |
| 695 | 627528 | icecream |
| 696 | 626892 | madison1 |
| 697 | 626847 | lollipop |
| 698 | 625782 | 7007 |
| 699 | 625324 | 192837465 |
| 700 | 624956 | martina |
| 701 | 624717 | 123698745 |
| 702 | 624711 | 123451 |
| 703 | 622859 | buddy1 |
| 704 | 622642 | 111222333 |
| 705 | 622427 | 22222222 |
| 706 | 622269 | justin1 |
| 707 | 620229 | james |
| 708 | 619654 | amanda1 |
| 709 | 619019 | carmen |
| 710 | 618837 | music |
| 711 | 618320 | yuantuo |
| 712 | 618039 | YUANTUO2012 |
| 713 | 617939 | samsung1 |
| 714 | 617716 | simone |
| 715 | 615183 | evildick |
| 716 | 614192 | qw123 |
| 717 | 613538 | murphy |
| 718 | 611618 | diamond1 |
| 719 | 610518 | samantha1 |
| 720 | 607233 | jackass |
| 721 | 607027 | isabella |
| 722 | 606405 | butterfly1 |
| 723 | 604467 | valentin |
| 724 | 603871 | 111111a |
| 725 | 603141 | arsenal1 |
| 726 | 602881 | 0 |
| 727 | 602748 | Р’С…РѕРґ |
| 728 | 602660 | mommy1 |
| 729 | 602437 | brandy |
| 730 | 602311 | arthur |
| 731 | 601826 | barney |
| 732 | 600919 | kimberly |
| 733 | 600508 | player |
| 734 | 599966 | fernando |
| 735 | 597778 | pass |
| 736 | 597230 | purple1 |
| 737 | 596866 | snickers |
| 738 | 596644 | america1 |
| 739 | 594349 | 123456b |
| 740 | 593014 | |
| 741 | 592324 | miguel |
| 742 | 591971 | mnbvcxz |
| 743 | 591563 | 666999 |
| 744 | 591220 | august |
| 745 | 590574 | 18atcskD2W |
| 746 | 590465 | fyfcnfcbz |
| 747 | 590422 | !~!1 |
| 748 | 589993 | robert1 |
| 749 | 589637 | 789789 |
| 750 | 588816 | H1xp2z2duK |
| 751 | 588347 | svetlana |
| 752 | 587880 | coffee |
| 753 | 587480 | mexico |
| 754 | 586843 | PASSWORD |
| 755 | 586657 | christine |
| 756 | 586309 | abc123456 |
| 757 | 585511 | poopoo |
| 758 | 585463 | chris |
| 759 | 585136 | q12345 |
| 760 | 584865 | barbara |
| 761 | 584804 | $HEX |
| 762 | 584799 | 123456z |
| 763 | 584679 | bonnie |
| 764 | 584065 | yfnfif |
| 765 | 583986 | emmanuel |
| 766 | 583964 | denise |
| 767 | 583772 | NF |
| 768 | 583693 | corvette |
| 769 | 583412 | 123456d |
| 770 | 582893 | patrick1 |
| 771 | 582409 | vladimir |
| 772 | 582403 | porsche |
| 773 | 581665 | softball |
| 774 | 580835 | 141414 |
| 775 | 580381 | david1 |
| 776 | 580138 | eagles |
| 777 | 579754 | hannah1 |
| 778 | 579235 | alexander1 |
| 779 | 579145 | hottie |
| 780 | 578244 | alyssa |
| 781 | 578018 | asdf123 |
| 782 | 575639 | india123 |
| 783 | 575427 | qwert1 |
| 784 | 574769 | 147896325 |
| 785 | 574485 | 454545 |
| 786 | 574338 | golden |
| 787 | 574252 | maxwell |
| 788 | 573753 | trinity |
| 789 | 573302 | aaaaa |
| 790 | 573103 | roberto |
| 791 | 572959 | fishing |
| 792 | 572748 | 555666 |
| 793 | 572740 | snowball |
| 794 | 572392 | 12345 |
| 795 | 572315 | qwerty321 |
| 796 | 572112 | brittany |
| 797 | 571745 | october |
| 798 | 571355 | bismillah |
| 799 | 571160 | beauty |
| 800 | 570008 | 9379992 |
| 801 | 569758 | fluffy |
| 802 | 569294 | 1password |
| 803 | 568899 | friendster |
| 804 | 568293 | rockstar |
| 805 | 568200 | cowboys |
| 806 | 567997 | kawasaki |
| 807 | 567428 | stupid |
| 808 | 567013 | horses |
| 809 | 566054 | florida |
| 810 | 565838 | master1 |
| 811 | 565836 | ryan |
| 812 | 565071 | tintin |
| 813 | 564663 | zxcvbnm123 |
| 814 | 564075 | scarface |
| 815 | 563390 | fender |
| 816 | 563271 | starwars1 |
| 817 | 562876 | elizabeth1 |
| 818 | 562187 | turtle |
| 819 | 561878 | q123456 |
| 820 | 561833 | alicia |
| 821 | 561807 | remember |
| 822 | 560609 | natalia |
| 823 | 560087 | cowboy |
| 824 | 558370 | sydney |
| 825 | 558206 | 456852 |
| 826 | 557797 | 1478963 |
| 827 | 557058 | thomas1 |
| 828 | 556999 | fatima |
| 829 | 556651 | alejandro |
| 830 | 556648 | pussy |
| 831 | 555750 | 123qaz |
| 832 | 555306 | andrei |
| 833 | 555123 | hammer |
| 834 | 554900 | simpsons |
| 835 | 554693 | 5555555555 |
| 836 | 554022 | freddy |
| 837 | 553421 | biteme |
| 838 | 553369 | whatever1 |
| 839 | 553358 | vampire |
| 840 | 552264 | buster1 |
| 841 | 551949 | 5555555 |
| 842 | 551108 | natalie |
| 843 | 550920 | 12413 |
| 844 | 550635 | joshua1 |
| 845 | 549964 | pumpkin |
| 846 | 549797 | 21212121 |
| 847 | 549389 | 159159 |
| 848 | 548640 | people |
| 849 | 548377 | s123456 |
| 850 | 548052 | 111111111 |
| 851 | 547494 | 1342 |
| 852 | 547382 | marvin |
| 853 | 546010 | passion |
| 854 | 545904 | maksim |
| 855 | 545700 | newmember |
| 856 | 545653 | asdfg |
| 857 | 545237 | disney |
| 858 | 545031 | ssssss |
| 859 | 544179 | blabla |
| 860 | 543557 | pa55word |
| 861 | 543287 | 1q2w3e4r5 |
| 862 | 542766 | qwer123 |
| 863 | 542556 | shorty |
| 864 | 542449 | z123456 |
| 865 | 542403 | francis |
| 866 | 542350 | bond007 |
| 867 | 541921 | cassie |
| 868 | 541326 | undertaker |
| 869 | 541035 | courtney |
| 870 | 540464 | happy |
| 871 | 540168 | yankees1 |
| 872 | 539404 | 1Fr2rfq7xL |
| 873 | 539392 | Qwerty |
| 874 | 539103 | 123456w |
| 875 | 538598 | willow |
| 876 | 538523 | fashion |
| 877 | 538286 | cookies |
| 878 | 538097 | linkinpark |
| 879 | 537841 | abc12345 |
| 880 | 537761 | gateway |
| 881 | 537547 | cheese1 |
| 882 | 537351 | 123456qwerty |
| 883 | 537120 | iceman |
| 884 | 536880 | heather1 |
| 885 | 536824 | pantera |
| 886 | 536395 | p |
| 887 | 535003 | nissan |
| 888 | 534999 | connor |
| 889 | 534561 | QWERTY |
| 890 | 534538 | superstar |
| 891 | 534394 | asdfghj |
| 892 | 534379 | zaqwsx |
| 893 | 534239 | realmadrid |
| 894 | 534082 | marcus |
| 895 | 533029 | slipknot1 |
| 896 | 532397 | monster1 |
| 897 | 532355 | tigger1 |
| 898 | 532079 | vegeta |
| 899 | 532029 | 90909 |
| 900 | 531765 | hesoyam |
| 901 | 531661 | california |
| 902 | 531408 | 123456789z |
| 903 | 530900 | hola |
| 904 | 530696 | brooklyn |
| 905 | 530636 | dancer |
| 906 | 530520 | richard1 |
| 907 | 530482 | wilson |
| 908 | 530440 | mmmmmm |
| 909 | 529864 | 121314 |
| 910 | 528856 | qwerty7 |
| 911 | 528854 | cookie1 |
| 912 | 528847 | qwer |
| 913 | 527249 | hottie1 |
| 914 | 527236 | aaaa |
| 915 | 527218 | 321654 |
| 916 | 525998 | sayang |
| 917 | 525767 | lorenzo |
| 918 | 525470 | friends1 |
| 919 | 525317 | jackson1 |
| 920 | 524803 | 123456k |
| 921 | 524718 | letmein1 |
| 922 | 524716 | backend |
| 923 | 524327 | hotdog |
| 924 | 523778 | daddy1 |
| 925 | 523365 | pookie |
| 926 | 523190 | m123456 |
| 927 | 523179 | chicago |
| 928 | 522193 | onelove |
| 929 | 522030 | monika |
| 930 | 522014 | admin |
| 931 | 521086 | francesco |
| 932 | 520617 | boston |
| 933 | 520109 | christ |
| 934 | 519997 | bulldog |
| 935 | 519799 | i |
| 936 | 519612 | simple |
| 937 | 519329 | spongebob1 |
| 938 | 518776 | 123456654321 |
| 939 | 518518 | qwertz |
| 940 | 518240 | pierre |
| 941 | 517645 | asdf12345 |
| 942 | 517376 | lastfm |
| 943 | 516959 | lovely1 |
| 944 | 516770 | music1 |
| 945 | 516681 | 100 |
| 946 | 516596 | melissa1 |
| 947 | 516276 | sniper |
| 948 | 516142 | asdasd5 |
| 949 | 515923 | alessandro |
| 950 | 515707 | student |
| 951 | 515681 | naruto1 |
| 952 | 515281 | catherine |
| 953 | 514221 | rr123456rr |
| 954 | 513958 | jerome |
| 955 | 513418 | bubbles1 |
| 956 | 511981 | 1qa2ws3ed |
| 957 | 511651 | 123456c |
| 958 | 511375 | qweasd123 |
| 959 | 511309 | 1234567q |
| 960 | 511303 | aleksandr |
| 961 | 511293 | 242424 |
| 962 | 510915 | taylor1 |
| 963 | 510824 | |
| 964 | 510760 | giovanni |
| 965 | 510700 | kirill |
| 966 | 510353 | cambiami |
| 967 | 510321 | tamara |
| 968 | 509908 | |
| 969 | 509731 | miller |
| 970 | 509613 | pamela |
| 971 | 509180 | harley1 |
| 972 | 508466 | teresa |
| 973 | 508339 | chocolat |
| 974 | 508295 | 3odi15ngxb |
| 975 | 508086 | falcon |
| 976 | 506680 | santiago |
| 977 | 506559 | a1s2d3f4 |
| 978 | 506403 | christopher |
| 979 | 505901 | please |
| 980 | 505749 | qq123456 |
| 981 | 505497 | claire |
| 982 | 505148 | cjkysirj |
| 983 | 504832 | pikachu |
| 984 | 504551 | cool |
| 985 | 504271 | 1212 |
| 986 | 504050 | 7895123 |
| 987 | 503879 | 1234560 |
| 988 | 503747 | family1 |
| 989 | 503133 | shelby |
| 990 | 502308 | iloveme |
| 991 | 501715 | runescape |
| 992 | 500815 | krishna |
| 993 | 500633 | rammstein |
| 994 | 500585 | kenneth |
| 995 | 500443 | raiders |
| 996 | 500108 | shopping |
| 997 | 499791 | coucou |
| 998 | 499636 | bullshit |
| 999 | 498982 | paradise |
| 1000 | 498401 | blahblah |
As can be seen from the table above, the top passwords are horrific. Passwords further down the list seem to be personal in nature as passwords tend to be the names of family members, and other meaningful names. What is also interesting is that many of the passwords, (especially the passwords further down the list) conform to password composition rules enforced by many organizations.
Strong password policies
As seen in the top 1000 password list, there are many guessable passwords that can easily be deduced from a person’s social media profile (like the name of a child or pet). To overcome the problem of easily guessable passwords, organizations enforce password policies. The screenshot below shows an actual password policy of a well-known online system. We have all seen policies like these – some policies are more permissive while and others are more restrictive.
Having a password policy will, at the very least, force users not to use an exceptionally poor password. However, users adapt as password policies adapt. In organisations with strong password policies it’s not uncommon for users to choose a password that conforms to the password policy but is still easy to crack. For example, the password September2019! conforms to the password policy shown above, yet the password follows a predictable pattern that is (unsurprisingly) popular in organisations where password composition policies are enforced, making it a poor password.
A more interesting side-effect of password policies is that strict password policies may reduce the brute-force search space, should an attacker choose to try every possible password combination. For example, we know that all individuals with password conforming to the password policy above will have passwords that are between 8 and 16 characters. We know that each password will contain at least one number and one special character.
Assuming that the password composition policy discussed above is used, an attacker performing a brute-force attack to uncover passwords does not have to evaluate 123456789012345, abcdefghijklmno, or !@#$%^&*()!@#$%^ as these combinations do not conform to the password composition policy. However, if the password composition policy did not exist, then these combinations need to be evaluated as well. Theoretically speaking a password policy can help to reduce the size of the password search space, thereby making it possible (in theory) for the attacker to find the password, using a brute-force attack, with less effort.
Before we go any further, we need to discuss how such an attack would work. Brute-forcing an actual login service is unlikely to yield any meaningful results as accounts are typically locked after a few unsuccessful login attempts. Knowledge of the password policy becomes useful after a system compromise when a password database has been dumped. Passwords are typically salted and hashed when stored in a database. This means that passwords are stored in a way which makes it very difficult to determine what the actual passwords are.
When a hashed password database is stolen, it is possible to recover passwords using a process called de-hashing. De-hashing is typically performed by calculating the hashes for brute-force password combinations and comparing the hashes produced by the process to a hashes stored in the database. This is a time-consuming process (especially for salted hashes) as all possible password combinations will in concept have to be tested unless some information about the stored password is available to reduce the size of the password search space. As luck might have it, a password policy assists an attacker by reducing the brute-force password search space size, thereby allowing an attacker to de-hash password quicker.
How do we solve this problem?
Think about the problem – a hashed password (under normal conditions) has a fixed length. Increasing the length of a password has no impact on the storage requirement of the password hash as the hash length is concept always the same (ignoring salt, encoding, and padding issues). The question that we all need to ask ourselves is if enforcing an upper-bound on a password length is sensible.
For example, a password like “I love computers, but I hate stinky cheese.” is a better password than “September2019!”, yet it does not conform to the password policy discussed earlier as it is more than 16 characters in length and it does not contain a number.
The longer password contains no forced characters, no forced symbols, and it’s easy to remember. The brute-force search space increased drastically since the password is very long (and assumptions cannot be made about the content of the password). In short – an attacker wastes a lot of time and effort to de-hash the password.
SHA256 hashes of two passwords with different lengths. Both hashes have the same length.
In the NIST Special Publication 800-63B, NIST discussed password policy recommendations. What is interesting about the recommendations is that the recommendations are different from what most organizations are doing at this moment in time.
The most important parts are:
- Password needs to be at least 8 characters in length up to at least 64 characters.
- Password composition rules should not be enforced.
- Password changes should be enforced when it is evident that passwords were compromised.
- Passwords should be checked against dictionaries and passwords found in previous password breaches. Passwords found in these dictionaries should not be allowed.
- Password strength meters should guide users when creating passwords.
The specification also discusses many other details as well, so be sure to read it. The most interesting thing about password composition rules is that almost all organizations are using them as they are widely believed to work. However, as discussed in this article, a good password is not necessarily a password that conforms to strict composition rules.
Breached password database
Crimson Wall’s vision and mission statement show our commitment to improving the state of information security for everyone.
We created a dataset containing the 10,000,000 most popular passwords found in the password collections (sorted by popularity). We are making the dataset freely available for download. The dataset can be used, among others things, to perform breached password validations.
The dataset is updated from time-to-time as we find more de-hashed password databases, so be sure to check for updates.