What do “hack,” “root,” “pass,” and “hax” have in common? They are all pretty pathetic as passwords, but they are hackers’ favorite passwords just the same.
When looking at passwords in general, “123456” bypassed “password” as the most common password in 2013, yet the usual horrible suspects were still found among the top 25 most commonly used and worst passwords. You might think hackers would know better, but apparently they are not better than regular Joes and Janes when it comes to choosing passwords.
About 2,000 passwords belonging to hackers were leaked this week, revealing that “hackers use weak passwords just like the rest of us,” Antonín Hýža wrote on the Avast blog.
After deciding to find out how strong hackers’ passwords were, Hýža started with 40,000 samples of passwords from backdoors, bots and shells that Avast has collected over the years. Of the 40,000, only about “2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes.”
Here are some of Hýža’s findings:
- 58% of hackers’ passwords contained only the lower-case alphabet characters a-z. The most common lower-case letter is “a” and f, j, v, w, y, z were the least used.
- Only 20% of hackers’ passwords used lower-case letters combined with numbers.
- Upper-case letters were rarely used, but when used they were either the first letter in the passwords or the entire password was shouting in CAPS LOCK. 5% combined upper-case and lower-case letters.
- A lowly 2% of hackers’ passwords used a mixture of lower case, upper case and numbers.
- 30% of the passwords used numbers, with “1” as the most commonly used numeral.
- A mere 6% bothered to include special characters. Hýža found that the following special characters were not used at all: , = ~ | [ ]
Size does matter; don’t believe it if anyone tells you otherwise. The average password length for hackers was 6 characters. Only 52 passwords were longer than 12 characters.
Roughly 10% of hackers’ passwords were strong enough that they couldn’t be cracked. One of the good ones was 75 characters long; others were in passphrases – in sentence form, mixed with special characters like “lol dont try cracking 12 char+” … but sadly it was stored in plain text.
By now, you may be wondering what password hackers use the most. There was lot of variations of the word pass and root and also hax was used many times, but if I omit one common 4-letter word, the most frequently used word in this dictionary is hack. It is worth mentioning that many PHP shells I analyzed had only default passwords like r57, c99, password or yourpass.
Several of the passwords contained leet speak. You can read this – L337, L33T, 1337 – you know you can. So if you are determined to stick with “password” as your password, then at least leet speak it such as: P@5$W0rD5, p455\/\/0RD, P@$$VV0Rd. Need help with your leet-speak password? Try these converters: English to HaXor, L337 converter, or Universal Leet. Better yet, use phrases, because as the Avast analysis shows, h@ck3R$ PIck P@7h37iC p@$sw0rd5 jU$7 lIk3 3V3ry0n3 3L53 (hackers pick pathetic passwords just like everyone else).