Password sets
Mark Burnett recently released a set of passwords with an announcement on his blog in the post Today I Am Releasing Ten Million Passwords.
I used Pipal in the past to analyze WordPress login attempts so I decided to run it against this set.
Pipal analyses Ten Million Passwords
It is no surprise to see that the top password is 123456. The top two words used to build passwords are password and qwerty.
The average password length is between 6 and 8 characters long.
Out of all the passwords, 68% use lower case characters or lower case characters with numbers.
Basic Results
Total entries = 9997958
Total unique entries = 5189397
Top 10 passwords
123456 = 55893 (0.56%)
password = 19580 (0.2%)
12345678 = 13582 (0.14%)
qwerty = 13137 (0.13%)
123456789 = 11696 (0.12%)
12345 = 10938 (0.11%)
1234 = 6432 (0.06%)
111111 = 5682 (0.06%)
1234567 = 4796 (0.05%)
dragon = 3927 (0.04%)
Top 10 base words
password = 23717 (0.24%)
qwerty = 19301 (0.19%)
dragon = 6359 (0.06%)
alex = 5187 (0.05%)
love = 5022 (0.05%)
monkey = 4869 (0.05%)
master = 4736 (0.05%)
shadow = 4560 (0.05%)
football = 4338 (0.04%)
michael = 4275 (0.04%)
Password length (length ordered)
3 = 5914 (0.06%)
4 = 345137 (3.45%)
5 = 494992 (4.95%)
6 = 2543974 (25.44%)
7 = 1662849 (16.63%)
8 = 2980862 (29.81%)
9 = 680815 (6.81%)
10 = 471289 (4.71%)
11 = 263466 (2.64%)
12 = 190996 (1.91%)
13 = 135587 (1.36%)
14 = 76975 (0.77%)
15 = 54237 (0.54%)
16 = 40230 (0.4%)
17 = 15294 (0.15%)
18 = 11985 (0.12%)
19 = 7520 (0.08%)
20 = 6232 (0.06%)
21 = 3100 (0.03%)
22 = 2218 (0.02%)
23 = 1297 (0.01%)
24 = 1045 (0.01%)
25 = 574 (0.01%)
26 = 467 (0.0%)
27 = 269 (0.0%)
28 = 263 (0.0%)
29 = 114 (0.0%)
30 = 110 (0.0%)
31 = 41 (0.0%)
32 = 9 (0.0%)
33 = 19 (0.0%)
34 = 15 (0.0%)
35 = 12 (0.0%)
36 = 16 (0.0%)
37 = 11 (0.0%)
38 = 13 (0.0%)
39 = 6 (0.0%)
40 = 3 (0.0%)
41 = 1 (0.0%)
42 = 1 (0.0%)
Password length (count ordered)
8 = 2980862 (29.81%)
6 = 2543974 (25.44%)
7 = 1662849 (16.63%)
9 = 680815 (6.81%)
5 = 494992 (4.95%)
10 = 471289 (4.71%)
4 = 345137 (3.45%)
11 = 263466 (2.64%)
12 = 190996 (1.91%)
13 = 135587 (1.36%)
14 = 76975 (0.77%)
15 = 54237 (0.54%)
16 = 40230 (0.4%)
17 = 15294 (0.15%)
18 = 11985 (0.12%)
19 = 7520 (0.08%)
20 = 6232 (0.06%)
3 = 5914 (0.06%)
21 = 3100 (0.03%)
22 = 2218 (0.02%)
23 = 1297 (0.01%)
24 = 1045 (0.01%)
25 = 574 (0.01%)
26 = 467 (0.0%)
27 = 269 (0.0%)
28 = 263 (0.0%)
29 = 114 (0.0%)
30 = 110 (0.0%)
31 = 41 (0.0%)
33 = 19 (0.0%)
36 = 16 (0.0%)
34 = 15 (0.0%)
38 = 13 (0.0%)
35 = 12 (0.0%)
37 = 11 (0.0%)
32 = 9 (0.0%)
39 = 6 (0.0%)
40 = 3 (0.0%)
41 = 1 (0.0%)
42 = 1 (0.0%)
|
|
| |
| |
| |
| |
| |
|||
|||
|||
|||
|||
||||
||||||
|||||||||
|||||||||||||||||||||||||||||||||||||||||||
0000000000111111111122222222223333333333444
0123456789012345678901234567890123456789012
One to six characters = 3390017 (33.91%)
One to eight characters = 8033728 (80.35'%)
More than eight characters = 1964230 (19.65%)
Only lowercase alpha = 3824547 (38.25%)
Only uppercase alpha = 109258 (1.09%)
Only alpha = 3933805 (39.35%)
Only numeric = 2035160 (20.36%)
First capital last symbol = 3575 (0.04%)
First capital last number = 280357 (2.8%)
Single digit on the end = 726687 (7.27%)
Two digits on the end = 710256 (7.1%)
Three digits on the end = 386494 (3.87%)
Last number
0 = 448299 (4.48%)
1 = 759475 (7.6%)
2 = 486742 (4.87%)
3 = 482103 (4.82%)
4 = 368685 (3.69%)
5 = 397570 (3.98%)
6 = 426426 (4.27%)
7 = 392823 (3.93%)
8 = 373087 (3.73%)
9 = 414844 (4.15%)
|
|
|
|
|
|||
||||
|||| ||| |
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789
Last digit
1 = 759475 (7.6%)
2 = 486742 (4.87%)
3 = 482103 (4.82%)
0 = 448299 (4.48%)
6 = 426426 (4.27%)
9 = 414844 (4.15%)
5 = 397570 (3.98%)
7 = 392823 (3.93%)
8 = 373087 (3.73%)
4 = 368685 (3.69%)
Last 2 digits (Top 10)
23 = 131855 (1.32%)
00 = 100173 (1.0%)
56 = 94657 (0.95%)
11 = 93828 (0.94%)
12 = 90902 (0.91%)
89 = 75595 (0.76%)
88 = 73343 (0.73%)
77 = 71647 (0.72%)
01 = 69344 (0.69%)
69 = 66182 (0.66%)
Last 3 digits (Top 10)
123 = 97607 (0.98%)
456 = 69948 (0.7%)
000 = 39395 (0.39%)
987 = 32821 (0.33%)
988 = 29334 (0.29%)
986 = 29111 (0.29%)
989 = 28904 (0.29%)
990 = 28506 (0.29%)
234 = 28471 (0.28%)
985 = 28087 (0.28%)
Last 4 digits (Top 10)
3456 = 62296 (0.62%)
1987 = 28182 (0.28%)
1986 = 27292 (0.27%)
1988 = 27123 (0.27%)
1990 = 26422 (0.26%)
1985 = 26228 (0.26%)
1989 = 26203 (0.26%)
1234 = 25733 (0.26%)
1991 = 24952 (0.25%)
1984 = 24253 (0.24%)
Last 5 digits (Top 10)
23456 = 61754 (0.62%)
12345 = 20859 (0.21%)
45678 = 14820 (0.15%)
56789 = 14497 (0.14%)
11111 = 11012 (0.11%)
54321 = 8546 (0.09%)
34567 = 6429 (0.06%)
77777 = 5706 (0.06%)
23123 = 5664 (0.06%)
00000 = 5002 (0.05%)
Character sets
loweralpha: 3824547 (38.25%)
loweralphanum: 2985686 (29.86%)
numeric: 2035160 (20.36%)
mixedalphanum: 570968 (5.71%)
mixedalpha: 251578 (2.52%)
upperalphanum: 110227 (1.1%)
upperalpha: 109258 (1.09%)
loweralphaspecial: 39249 (0.39%)
loweralphaspecialnum: 35475 (0.35%)
mixedalphaspecialnum: 13417 (0.13%)
specialnum: 8167 (0.08%)
mixedalphaspecial: 6641 (0.07%)
upperalphaspecialnum: 1457 (0.01%)
upperalphaspecial: 771 (0.01%)
special: 573 (0.01%)
Character set ordering
allstring: 4185383 (41.86%)
stringdigit: 2173421 (21.74%)
alldigit: 2035160 (20.36%)
digitstring: 549645 (5.5%)
othermask: 524398 (5.25%)
stringdigitstring: 363760 (3.64%)
digitstringdigit: 107776 (1.08%)
stringspecialstring: 33429 (0.33%)
stringspecialdigit: 14935 (0.15%)
stringspecial: 7104 (0.07%)
specialstring: 1766 (0.02%)
specialstringspecial: 608 (0.01%)
allspecial: 573 (0.01%)
How can I monitor my accounts to know if they have been leaked?
The post Ten Million Passwords FAQ provides some background information and a few suggestions on how to monitor your own accounts :
- Create a Google alert for your email address, username, and domain if you have one.
- Create a Pastebin account and set alerts for your email address, username, and domain if you have one.
- Sign up for account monitoring at haveibeenpwned.com, pwnedlist.com, breachalarm.com, canary.pw, or a similar site;
- You can use the online checks of LastPass to verify if your account was in one of the larger database hacks.
