You are on page 1of 33

TOP 500 Most Common Passwords

Used Online – FREE Report

Compiled By Steve Lorenzo


Terms and Conditions
LEGAL NOTICE
The Publisher has strived to be as accurate and complete as possible in the creation of
this report, notwithstanding the fact that he does not warrant or represent at any time
that the contents within are accurate due to the rapidly changing nature of the Internet.

While all attempts have been made to verify information provided in this publication,
the Publisher assumes no responsibility for errors, omissions, or contrary interpretation
of the subject matter herein. Any perceived slights of specific persons, peoples, or
organizations are unintentional.

In practical advice books, like anything else in life, there are no guarantees of income
made. Readers are cautioned to rely on their own judgment about their individual
circumstances to act accordingly.

This book is NOT intended for use as a source of legal, business, accounting or financial
advice. All readers are advised to seek services of competent professionals in legal,
business, accounting and finance fields.

You are encouraged to print this book for easy reading.

Offensive Language WARNING!


This report contains offensive language and words related to sex, hate, racism and
more... However, this material has been gathered exclusively from the input of real
world users and public sources available on the Internet. The above mentioned have
been included solely to give you an insight into the minds of people using them.

I want to impress upon you that they have NOTHING to do with my own views,
language, manners or mindset! If you would be upset by reviewing such offensive
language and related words, I URGE you:

Please refrain yourself from reading further! STOP NOW and close the
document … OR read on – at your own risk.

-Page 3 of 33 -
Table of Contents
Terms and Conditions 3
LEGAL NOTICE 3
Offensive Language WARNING! 3

Foreword 6
The Phishing of MySpace 7
Beware of phishing! It just grew bigger these days… 9
Recent attempts on Skype… 9

The Hacking of db.Singles.org 10


4chan on FaceBook 10
The case of Zak’s belongings… 11
The car accident – Steven & the homeless… 12
The case of pious Sarah & the Reverend… 13
The case of HOT Tracy… and the love cave! 14
YOU Are in Danger! 15
Dangers of database storage type 16

The Hacking of phpBB 17


PHPBB Password Analysis 17

3 Combined Lists: MySpace + phpBB + Singles.org 19


The 250 most common passwords on the combined lists 19
Susceptibility to wordlist brute force attack cracking 22

Statistics from the Hotmail hack 23


The frightening deductions 24

RockYou hack – The „Godzilla‟ database 25


32.600.000 accounts hacked!!! 25

The lesson to learn and your take 26

-Page 4 of 33 -
What‟s My Pass? has a bigger list even 27
TOP 500 Most Common Passwords Used Online 27

Recommendations 30
Why I think YOU should use an automatic solution to stay safe & protected 30
A recommended solution: RoboForm Password Manager & Automatic Form Filler32

32

Sources Used To Assemble This Report 33


Use for reference and further research 33

-Page 5 of 33 -
Foreword
Foreword
The Internet is a place of both fabulous marvels beyond imagination AND at the same
time a dark pit of hidden deceptions, stolen identities and in-numerable threats poised
at YOU, the innocent user/surfer.

Have no doubt!

As we speak, your personal data:


 your name,
 your spouse‟s name,
 children‟s name,
 pet‟s name
 birthdates,
 home address,
 work address … and whatnot …
… may have been already fallen in the hands of ill-intended modern virtual pirates –
Internet hackers!

Think about THAT!

 Why do you think you‟re so special?


 Why do you think they would care?
 Why do you think they would spare you if they would have the chance to get
your bank account data?

You are not alone on the Internet …


…at „least‟ 32 million other users thought the same … until RockYou was hacked.

Read the frightening tales that follow and draw your own conclusions.

Let me point you in the right direction to start now…

-Page 6 of 33 -
T h e P h i s h i n g o f M y S p a ce
The Phishing of MySpace
October 2006

A phishing attack is actually a copy of the login page of a given site, controlled by a
hacker that is receiving the credentials which unsuspecting victims would input in the
fields on the page.
Usually, looking closely at the URL in your browser‟s address bar you would spot the
difference easily, but hackers are smart people, so they try to outwit you to that.

A very interesting method was used in the case of the MySpace phishing attack in 2006.

If you pay close attention to the following screenshot, you should notice that the login
table even has a picture to instruct the users where to look before they sign in…
…which WAS replicated on the phishing page.

-Page 7 of 33 -
Due to various anti-virus and security software that would normally detect XSS and
other devious redirects and warn you … the phishing pages may be automatically
detected quite easily these days.

This hack was very ingeniously devised, though.


The phishing page was HOSTED on MySpace, for God‟s sake!...

The hacker created an account with the username…


login_home_index_html
… thus MySpace allowing him to have
a profile page with the following URL:

http://myspace.com/login_home_index_html
… which proved „good enough‟ for their purpose.

This way they tricked 47.380 users before the attacked was stopped!

The collected data was forwarded to a web server located in Spain, where the attackers
would harvest it later.

The main take from this analysis would be that whenever you are going to input your
credentials into the login fields, it is very important to check if you‟re on a legitimate
page.
TIP: Better type in the root domain name in the browser‟s address bar yourself, or use a
previously memorized bookmark of YOUR OWN – never use any link that you receive in
a message (be it an email, a Skype message, etc…) because you may be tricked into
clicking on a fake link, no matter how cool that link looks like.

-Page 8 of 33 -
Beware of phishing! It just grew bigger these days…

Don‟t read this as it would be just funny story or a Bogeyman tale for bed time…

Don‟t trick yourself into thinking:


“This will never happen to me!”

See?.. I am sure all the above 47k+ people thought the same!

And furthermore, if you think it is a thing of the past…


…just run a search on Google, or even better - YouTube.

You will be horrified to see how many results you will get; how many phishing software
and similar or “How To Guides” are there teaching young hacker wannabes the simple
basics of phishing as well as many other hacks.

Recent attempts on Skype…

I am a member of various Skype chat channels – I use Skype extensively to keep close
contact to friends and business partners from all around the world.

Sadly, I have recently observed an epidemic of phishing attempts on Skype, targeting


less security aware or knowledgeable people first, sending them messages with links to
click on, under the false pretense it contains some funny pictures or a „surprise‟..

Normally, no one should click on these, but the twisted mind trick is this…
…after a few attempts, when the hackers manage to get hold of someone‟s Skype
account, they also get access to all the contact lists of the victim and
block that victim‟s access back to Skype!

As a result, the links are spreading from your own friends (pretty much like the chain
letters or hoax emails work too) – thus people having their security shields very low - so
to speak.
This document is not intended to be an extensive course on security, but at least the
minimal concepts should be obvious by now:
* IF you really want to check un-solicited links you receive from ANYBODY, rather
type them into your browser (or not at all) BUT DO NOT CLICK!

-Page 9 of 33 -
The Hacking of db.Singles.org
The Hacking of db.Singles.org
February 2009

Singles.org, a Christian dating site was suddenly getting a lot of attention online. There
was a security flaw reported and many people (hackers included) swarmed upon it to see
the „goodies‟.

The problem they had was due to an absolutely unforgivable lack of any minimal
security protocols in place.
Singles.org was using - at that time - querystring parameters to identify a user and the
mode the page displayed in.
As a result, anyone could switch to edit mode without any authentication in place.

The account numbers they used were short (6 digits only) so even an undergraduate
„hacker‟ could simply generate random numbers, to see what comes up … and boy, lots
and lots of accounts were coming up!
Once given access to any account, the perpetrator could have easily update it and start
impersonate the original owner.

The worst thing happened because many of this website‟s members were in fact using
the same login credentials cross-platform.
As such, once getting a valid username and password combination, these were also tried
on various other social networking sites, like Twitter and FaceBook, for starters.

4chan on FaceBook
The hacking group known as „4chan‟ really did this, its members starting to post racist,
sexist or hatred messages through these mediums, impersonating their victims.

The same online group is known to be responsible for hacking former Alaskan governor
Sarah Palin's email account and spread hoax news about a spate of celebrity deaths…

This time, however, they only took advantage of other‟s findings.

-Page 10 of 33 -
Once inside a victim‟s FaceBook account, the hackers started to „play‟ with nasty
messages - some being a bit humorous, but mostly NOT!

In one instance, they superimposed a target's face on to a picture of a naked woman and
published it on her Facebook page; afterwards, they pretended to have uploaded the
wrong picture by mistake.

The case of Zak‟s belongings…


Another one was when they picked up a conversation and a prayer for someone (Zak)
and jumped in with the question (meant to be funny):

“If he dies, can I have some of his stuff?”

This one is not even so bad after all – kinda like some black humor (although I bet Zak‟s
relatives weren‟t quite happy) … BUT the next ones are really nasty!

-Page 11 of 33 -
The car accident – Steven & the homeless…
The hackers got hold of the account of a person called Steven
(no relationship with me folks, ha, ha…)
The „faked‟ Steven pretended he just hit someone in a car accident (a homeless man)
and was trying to cover his tracks, looking for comfort and advice from his FaceBook
friends (kinda stupid, huh?)

Some people were trying to convince Steven to go to the police and report the accident,
while he was „thinking‟ to go back and make the body disappear…

The next two cases have strong words and language related to sex – you may jump
OVER them with this link: JUMP OVER to Next Chapter

-Page 12 of 33 -
The case of pious Sarah & the Reverend…
4chan‟s have chosen a woman‟s profile this time (Sarah) „pretending‟ she was drunk…
and talking a bit on the side of „dirty‟ …

Being initially harvested from Singles.org, the profile was actually one of a religious
woman, not acting like that in any circumstances in real life – BUT wait to see the
reaction of Reverend Jeffery who knew Sarah personally…

Unfortunately, this hack was very damaging for Sarah!

-Page 13 of 33 -
The case of HOT Tracy… and the love cave!
This one is absolutely delicious - about a GREAT - long awaited for - sex she had
recently with the stallion named Micheal. Enjoy!

Heh!…

-Page 14 of 33 -
YOU Are in Danger!
Of course all these examples - as well as many others that you will find documented on a
blog called The Coffee Desk…
…just helped me prove how dangerous could be to have your password
harvested from somewhere and then used to access:
 more and more social network accounts,
 maybe your email accounts and finally
 PayPal, or
 your bank accounts as well

This is no joke…
You ARE in danger!
(we all are…)

The file „cristian.txt‟ (containing the complete list hacked from Singles.org database)
was shared around all the Internet at the date … and it is reported in the above article
that some of the pictures – posted online by 4chan members directly in a bragging
attempt – contained traces that the hackers were using the logins to access even more
accounts, not only FaceBook…
There were Yahoo mail tabs open in those pics for instance…

Something very, very dangerous was in progress at the time, as well…

While most of the cases were more or less trying to make fun (bad taste fun maybe, but
still…) there were others desperate, trying to make these ones stop!

BUT

Not attempting to be the „Good Jedi‟ on the right side of “The Force” doing so … in fact
they were upset that their sneaky tactics would be left worthless by the uproar on
FaceBook.

You see, they just wanted to silently change the „secret recovery question‟ of their
victims email accounts along with the passwords.

This way, the said victims would completely lose control of everything in their accounts,
without any possibility for a future recovery.

-Page 15 of 33 -
As we all know, many websites offer password recovery for lost login credentials, so a
hacker wouldn‟t need to know or have a list of all your logins,

BUT …
… only of your main email account.

From there they can start asking for password changes all around the social networks
and really, really „steal‟ your online presence from you.

Dangers of database storage type


You should also be aware of the dangers posed by the password recovery technical side
of things…
You will notice that there are websites still using username/password database storing
in plain text, as opposed to the more advanced hashed/salted approach.

It is very easy to spot these weak security websites if you go to the „Lost Pasword‟ page
and try that feature.
1. IF you will get from them an email containing your password in plain text that
means the password is stored in plain text format in their database too, hence
very dangerous in case the file gets hacked at any time in the future.
2. However, if you get a temporary password auto-generated or you are instructed
to go to a special page on the website where to make a new password because the
old one was reset at the time of your recovery request, that means the site owners
don‟t have access themselves to the passwords, which are securely stored in hash
form.
On top of this, always keep the good habit of using different passwords for different
sites, because

“A chain‟s strength is given by the weakest link”


Derived from: Thomas Reid's Essays on the Intellectual Powers of Man - 1786
"In every chain of reasoning, the evidence of the last conclusion can be no greater
than that of the weakest link of the chain, whatever may be the strength of the rest."
TIP: Bottom line is this:
 Always use different passwords for each new account (wherever) you open one
 Never ever use your email account username and/or password anywhere else
 Try to use strong passwords, at least 8 characters in length if not more,
combining various types of characters, numbers and capitalization

If somehow, someone gets access to one of your accounts online, they


should be stopped there – don‟t give them a chance to find other backdoors
to you anywhere else!

-Page 16 of 33 -
The Hac k in g o f p h p B B
The Hacking of phpBB
February 2009

On February 6th, 2009 Robert Graham - CEO of Errata Security - published an article
(on the Dark Readings Blog) about the newest hack of the time:

PHPBB Password Analysis


The new security breach was making headlines all around the net at the time.
There were no surprises on the harvested lists. Yet again, lots of people using the same
type of weak passwords again and again.

 16% of passwords matched a person's first name


This percentage is including people choosing their own first names or those of
their spouses or children, or people repeating their usernames as passwords.
The most popular first names were:
o Joshua
o Thomas
o Michael and
o Charlie
However, this largely depends on the population sample hence we would see
many English names here, while on another case (Hotmail phish) there were
more Spanish names present in the analysis.

 14% of passwords were patterns on the keyboard


Among the most popular were:
o "1234"
o "qwerty"
o “asdf”

 4% were variations of the word "password"


Here are a few examples:
o "passw0rd"
o "password1"
o "passwd"
o "drowssap" (as "password" spelled backward)

-Page 17 of 33 -
 4% of passwords appear to reference things nearby
o "samsung"
was a very popular password maybe because it's the brand name of the
monitor people are looking at when typing…
There are a lot of names of home computers as well, like:
o "dell"
o "packard"
o "apple"
o "pavilion"
o "presario"
o “compaq”

The analysis goes deeper and deeper, but for the purpose of this report, it would be
enough to take note that the password length distribution was as follows:
o 1 character 0.34%
o 2 characters 0.54%
o 3 characters 2.92%
o 4 characters 12.29%
o 5 characters 13.29%
 6 characters 35.16%
o 7 characters 14.60%
o 8 characters 15.50%
o 9 characters 3.81%
o 10 characters 1.14%
o 11 characters 0.22%

Given the fact that the vast majority of the passwords were, furthermore, dictionary
passwords, the average length of 6 characters shows a very disturbing trend.

People are still not adequately educated on computer and internet security basics even…

It is very easy to devise software that would crack all these passwords in a matter of
hours, 1-2 days at the most – even for quite a large database sample.

-Page 18 of 33 -
The Lists of The Most Common
Passwords Used Online
3 Combined Lists:
MySpace +
phpBB +
Singles.org
Guys, please use the following passwords lists ONLY for the purpose of AVOIDING

them and not as an inspiration, ok? ☺


The data was gathered, analyzed and presented in a comprehensible form by Jimmy
Ruska on his blog (as previously stated):

The 250 most common passwords on the combined lists

Rank % Pass Repetitions Rank % Pass Repetitions


1 1.12 123456 1308 126 0.03 hello1 36
2 0.73 password 854 127 0.03 eminem 36
3 0.35 phpbb 414 128 0.03 dakota 36
4 0.25 qwerty 294 129 0.03 samantha 36
5 0.24 12345 281 130 0.03 compaq 36
6 0.23 jesus 265 131 0.03 diamond 35
7 0.22 12345678 253 132 0.03 taylor 35
8 0.17 1234 195 133 0.03 forum 35
9 0.16 abc123 187 134 0.03 john316 35
10 0.16 letmein 185 135 0.03 richard 34
11 0.13 test 147 136 0.03 blink182 34
12 0.12 love 143 137 0.03 peaches 34
13 0.11 123 133 138 0.03 cool 34
14 0.11 password1 124 139 0.03 flower 34
15 0.1 hello 121 140 0.03 scooter 34

-Page 19 of 33 -
16 0.1 monkey 118 141 0.03 banana 33
17 0.1 dragon 115 142 0.03 james 33
18 0.1 trustno1 112 143 0.03 asdfasdf 33
19 0.09 111111 107 144 0.03 victory 33
20 0.09 iloveyou 105 145 0.03 london 33
21 0.09 1234567 102 146 0.03 123qwe 33
22 0.08 shadow 98 147 0.03 123321 33
23 0.08 123456789 95 148 0.03 startrek 32
24 0.08 christ 95 149 0.03 george 32
25 0.08 sunshine 93 150 0.03 winner 32
26 0.08 master 92 151 0.03 maggie 32
27 0.08 computer 90 152 0.03 trinity 32
28 0.08 princess 88 153 0.03 online 32
29 0.07 tigger 84 154 0.03 123abc 32
30 0.07 football 83 155 0.03 chicken 32
31 0.07 angel 79 156 0.03 junior 32
32 0.07 jesus1 76 157 0.03 chris 32
33 0.07 123123 76 158 0.03 passw0rd 31
34 0.07 whatever 76 159 0.03 austin 31
35 0.06 freedom 74 160 0.03 sparky 31
36 0.06 killer 73 161 0.03 admin 31
37 0.06 asdf 71 162 0.03 merlin 31
38 0.06 soccer 71 163 0.03 google 31
39 0.06 superman 71 164 0.03 friends 31
40 0.06 michael 71 165 0.03 hope 31
41 0.06 cheese 66 166 0.03 shalom 31
42 0.06 internet 65 167 0.03 nintendo 30
43 0.06 joshua 65 168 0.03 looking 30
44 0.05 fuckyou 64 169 0.03 harley 30
45 0.05 blessed 64 170 0.03 smokey 30
46 0.05 baseball 63 171 0.03 7777 30
47 0.05 starwars 59 172 0.03 joseph 30
48 0.05 0 59 173 0.03 lucky 30
49 0.05 purple 58 174 0.03 digital 30
50 0.05 jordan 58 175 0.03 a 30
51 0.05 faith 58 176 0.03 thunder 30
52 0.05 summer 57 177 0.03 spirit 30
53 0.05 ashley 57 178 0.02 bandit 29
54 0.05 buster 56 179 0.02 enter 29

-Page 20 of 33 -
55 0.05 heaven 55 180 0.02 anthony 29
56 0.05 pepper 53 181 0.02 corvette 29
57 0.04 7777777 52 182 0.02 hockey 29
58 0.04 hunter 52 183 0.02 power 29
59 0.04 lovely 51 184 0.02 benjamin 29
60 0.04 andrew 51 185 0.02 iloveyou! 29
61 0.04 thomas 51 186 0.02 1q2w3e 29
62 0.04 angels 51 187 0.02 viper 29
63 0.04 charlie 50 188 0.02 genesis 29
64 0.04 daniel 50 189 0.02 knight 28
65 0.04 1111 49 190 0.02 qwerty1 28
66 0.04 jennifer 49 191 0.02 creative 28
67 0.04 single 49 192 0.02 foobar 28
68 0.04 hannah 49 193 0.02 adidas 28
69 0.04 qazwsx 48 194 0.02 rotimi 28
70 0.04 happy 48 195 0.02 slayer 28
71 0.04 matrix 48 196 0.02 wisdom 28
72 0.04 pass 48 197 0.02 praise 27
73 0.04 aaaaaa 48 198 0.02 zxcvbnm 27
74 0.04 654321 47 199 0.02 samuel 27
75 0.04 amanda 47 200 0.02 mike 27
76 0.04 nothing 47 201 0.02 dallas 27
77 0.04 ginger 46 202 0.02 green 27
78 0.04 mother 46 203 0.02 testtest 27
79 0.04 snoopy 46 204 0.02 maverick 27
80 0.04 jessica 46 205 0.02 onelove 27
81 0.04 welcome 46 206 0.02 david 27
82 0.04 pokemon 45 207 0.02 mylove 27
83 0.04 iloveyou1 45 208 0.02 church 27
84 0.04 11111 45 209 0.02 friend 27
85 0.04 mustang 45 210 0.02 god 27
86 0.04 helpme 45 211 0.02 destiny 27
87 0.04 justin 44 212 0.02 none 26
88 0.04 jasmine 44 213 0.02 microsoft 26
89 0.04 orange 44 214 0.02 222222 26
90 0.04 testing 44 215 0.02 bubbles 26
91 0.04 apple 43 216 0.02 11111111 26
92 0.04 michelle 43 217 0.02 cocacola 26
93 0.04 peace 42 218 0.02 jordan23 26

-Page 21 of 33 -
94 0.04 secret 42 219 0.02 ilovegod 26
95 0.04 1 42 220 0.02 football1 26
96 0.04 grace 42 221 0.02 loving 26
97 0.04 william 42 222 0.02 nathan 26
98 0.04 iloveyou2 41 223 0.02 emmanuel 26
99 0.04 nicole 41 224 0.02 scooby 26
100 0.04 666666 41 225 0.02 fuckoff 26
101 0.04 muffin 41 226 0.02 sammy 26
102 0.04 gateway 41 227 0.02 maxwell 26
103 0.04 fuckyou1 41 228 0.02 jason 25
104 0.03 asshole 40 229 0.02 john 25
105 0.03 hahaha 40 230 0.02 1q2w3e4r 25
106 0.03 poop 40 231 0.02 baby 25
107 0.03 blessing 40 232 0.02 red123 25
108 0.03 blahblah 40 233 0.02 blabla 25
109 0.03 myspace1 39 234 0.02 prince 25
110 0.03 matthew 39 235 0.02 qwert 25
111 0.03 canada 39 236 0.02 chelsea 25
112 0.03 silver 39 237 0.02 55555 25
113 0.03 robert 39 238 0.02 angel1 25
114 0.03 forever 39 239 0.02 hardcore 25
115 0.03 asdfgh 38 240 0.02 dexter 25
116 0.03 rachel 38 241 0.02 saved 25
117 0.03 rainbow 38 242 0.02 112233 25
118 0.03 guitar 38 243 0.02 hallo 25
119 0.03 peanut 37 244 0.02 jasper 25
120 0.03 batman 37 245 0.02 danielle 25
121 0.03 cookie 37 246 0.02 kitten 25
122 0.03 bailey 37 247 0.02 cassie 24
123 0.03 soccer1 37 248 0.02 stella 24
124 0.03 mickey 37 249 0.02 prayer 24
125 0.03 biteme 37 250 0.02 hotdog 24

Susceptibility to wordlist brute force attack cracking


List Used Singles.org phpBB MySpace
First names 5009 4602 854
Dictionary 7200 15739 2163
Milw0rm 10743 20878 4027
Insidepro 14264 19807 2904

-Page 22 of 33 -
The previous table shows the number of passwords from the three lists above that would
have been cracked in a brute force attack using one of the four wordlists presented.

It strongly suggests that such an attack would have revealed appreciable numbers of the
user passwords, due to the weaknesses we have analyzed.

Nowadays, the various software solutions that may be used to crack such a list, as well as
the computer speeds increased exponentially.
The results may vary considerably in such a case (to the worst!)

Hotmail leaked passwords


Statistics from the Hotmail hack
October 2009

Bogdan Calin recently ran a new analysis of over 10.000 Windows Live email accounts
whose credentials were anonymously posted by a hacker on the PasteBin website – the
results have been posted on the Acunetix Security Blog

We should notice that this time the sample contains far more Spanish speaking people
accounts (look at the names!) – so it would be safe to assume that the phishing was
targeted towards the Latino community.

Here is the top 20 most common passwords from this sample


(out of the initial 10,028 entries posted, the author cleaned up the list removing entries
without a password, resulting in 9.843 valid entries):
1. 123456 – 64 times!!!
2. 123456789 – 18 times!!!
3. alejandra - 11
4. 111111 - 10
5. alberto - 9
6. tequiero - 9
7. alejandro - 9
8. 12345678 - 9
9. 1234567 - 8
10. estrella - 7
11. iloveyou - 7
12. daniel - 7

-Page 23 of 33 -
13. 000000 - 7
14. roberto - 7
15. 654321 - 6
16. bonita - 6
17. sebastian - 6
18. beatriz - 6
19. mariposa - 5
20. america - 5

The frightening deductions


Further analysis conducted by Neil O'Neil - a digital forensics investigator at secure
payments firm The Logic Group – reveals that significant percentages were dates of
birth (some of the weakest type of passwords) as well as common passwords shown in
other lists like:

 “iloveyou”
and its Spanish equivalent in this case
 “tequiero”

Both these have made it to the top 20 up there…

O‟Neil also noticed the Latino pattern in the sample.

To make things worse, at a later date - only a few days later - the same hacker posted an
even larger sample of over 30.000 accounts on the same site mentioned initially:
PasteBin.

Studying all the accounts from the first 10.000, Dmitry Evteev from PT Research
noticed that all the entries were beginning with letters a and b, suggesting that in fact a
much larger database was hacked from Hotmail.

Given the letter frequency distribution in the dictionary and the size of the a-b sample
studied, Evteev deducted probably there were over 150.000 accounts harvested!

And this is just the beginning…


Even more frightening news emerged on the world wide web lately, exposing yet another
security breach that conducted to a MASSIVE – millions! – list of usernames/passwords
on the loose…

-Page 24 of 33 -
RockYou hack – The ‘Godzilla’ database
RockYou hack – The „Godzilla‟ database
December 2009

RockYou – the website providing a series of widgets most popular with MySpace and
Facebook users - has been hacked!
- announces Imperva first, followed by Guardian and few other blogs.

Imperva said RockYou was hacked using an SQLi (SQL Injection) attack.

This is a very popular technique (as we have seen before in the case of Christians.org)
that works against sites using SQL databases to dynamically create pages for specific
users.
Basically the hackers would insert commands written in the SQL database query
language into web site queries.

32.600.000 accounts hacked!!!

RockYou posted a press release that was trying to hush-hush things.


Very proud of their „achievement‟, the hackers (or was it a lone wolf maybe?) posted on
the website BayWords a response to that press release - with examples of the data
extracted from RockYou to serve as proof - stating:

“So i was reading this shit about how some lol


company Imperva found a SQLi on Rockyou.com.
Yea, right, you're the best. Too late guys, too late.
I've got every account downloaded from this shitty site.
You were too slow, but what can i expect from you?
There is 32 603 388 customers. Pretty nice list with
plain text passwords. It's so lame, and I'm sure that
more than half does work for myspace and other sites.
Don't lie to your customers, or i will publish
everything”

The highlight is my own „addition‟ to the message, the rest is genuine…

-Page 25 of 33 -
Lessons to be learned
The lesson to learn and your take
Some websites are more secure than others requesting
 longer passwords,
 combinations of letters with signs and numbers,
 certain lengths,
 denying the users password if matches the username,
 disallowing certain most common dictionary words, etc..
on the one hand…
…while on the other hand being conscious of their own internal possible flaws and
keeping the passwords in hash salted form (not available even for their own admins)

BUT

There are also millions of other websites with much less security in place.

These may be hacked one day, or they may have their HDs stolen physically or
whatever…

We should be the only ones to be continuously aware of the security risks involved and:
 Never use the same username / password combination twice
 Always use the strongest possible passwords we may come with
 Not dictionary words
 Not our pet‟s name
 Or our Mother-in-Law‟s
 Neither the latest basketball or rock star‟s name
 Nor the latest trends in gaming
 Finally, not even the coolest 4 letter word you just learned…

TIP:
I personally use a cool piece of software (comes as a free download – so nothing to pay
for) that saved me hours and hours of typing passwords, remembering them (or not!),
but much more (automatically filling fields in web forms for me, etc…) namely >>>
RoboForm >> FREE Download << RoboForm
RoboForm

-Page 26 of 33 -
What’s My Pass?
What‟s My Pass? has a bigger list even
WhatsMyPass.com is a website that uses various software solutions to help their users
recover lost (forgotten) passwords.

This entitles them to have an even larger sample of passwords used by people online,
this time coming from many different websites.

While the TOP doesn‟t always overlap perfectly, there are some staggering similarities
that just show once more (if needed?) how bad the situation is and how dangerously
easy would be for even a wiz kid hacker to get access to thousands of accounts all over
the web.

This list contains patterns showing more offensive words and language, probably due to
the fact that some of the accounts must have been from porn sites and similar.

No matter how „offensive‟ the word would be – is still stupid – there is a wordlist out
there that contains it.

Here is the list of the

TOP 500 Most Common Passwords Used Online

Among the first 20 entries you will notice many of the ones we have already become
familiar with, like:
 “password”
 “123456”
 “qwerty”
 “letmein”
 “fuckme”
 “pussy”
etc…

No surprises, heh?

-Page 27 of 33 -
Pos Top 1-100 Top 101–200 Top 201–300 Top 301–400 Top 401–500
1 123456 porsche firebird prince rosebud
2 password guitar butter beach jaguar
3 12345678 chelsea united amateur great
4 1234 black turtle 7777777 cool
5 pussy diamond steelers muffin cooper
6 12345 nascar tiffany redsox 1313
7 dragon jackson zxcvbn star scorpio
8 qwerty cameron tomcat testing mountain
9 696969 654321 golf shannon madison
10 mustang computer bond007 murphy 987654
11 letmein amanda bear frank brazil
12 baseball wizard tiger hannah lauren
13 master xxxxxxxx doctor dave japan
14 michael money gateway eagle1 naked
15 football phoenix gators 11111 squirt
16 shadow mickey angel mother stars
17 monkey bailey junior nathan apple
18 abc123 knight thx1138 raiders alexis
19 pass iceman porno steve aaaa
20 fuckme tigers badboy forever bonnie
21 6969 purple debbie angela peaches
22 jordan andrea spider viper jasmine
23 harley horny melissa ou812 kevin
24 ranger dakota booger jake matt
25 iwantu aaaaaa 1212 lovers qwertyui
26 jennifer player flyers suckit danielle
27 hunter sunshine fish gregory beaver
28 fuck morgan porn buddy 4321
29 2000 starwars matrix whatever 4128
30 test boomer teens young runner
31 batman cowboys scooby nicholas swimming
32 trustno1 edward jason lucky dolphin
33 thomas charles walter helpme gordon
34 tigger girls cumshot jackie casper
35 robert booboo boston monica stupid
36 access coffee braves midnight shit
37 love xxxxxx yankee college saturn
38 buster bulldog lover baby gemini
39 1234567 ncc1701 barney cunt apples
40 soccer rabbit victor brian august

-Page 28 of 33 -
41 hockey peanut tucker mark 3333
42 killer john princess startrek canada
43 george johnny mercedes sierra blazer
44 sexy gandalf 5150 leather cumming
45 andrew spanky doggie 232323 hunting
46 charlie winter zzzzzz 4444 kitty
47 superman brandy gunner beavis rainbow
48 asshole compaq horney bigcock 112233
49 fuckyou carlos bubba happy arthur
50 dallas tennis 2112 sophie cream
51 jessica james fred ladies calvin
52 panties mike johnson naughty shaved
53 pepper brandon xxxxx giants surfer
54 1111 fender tits booty samson
55 austin anthony member blonde kelly
56 william blowme boobs fucked paul
57 daniel ferrari donald golden mine
58 golfer cookie bigdaddy 0 king
59 summer chicken bronco fire racing
60 heather maverick penis sandra 5555
61 hammer chicago voyager pookie eagle
62 yankees joseph rangers packers hentai
63 joshua diablo birdie einstein newyork
64 maggie sexsex trouble dolphins little
65 biteme hardcore white 0 redwings
66 enter 666666 topgun chevy smith
67 ashley willie bigtits winston sticky
68 thunder welcome bitches warrior cocacola
69 cowboy chris green sammy animal
70 silver panther super slut broncos
71 richard yamaha qazwsx 8675309 private
72 fucker justin magic zxcvbnm skippy
73 orange banana lakers nipples marvin
74 merlin driver rachel power blondes
75 michelle marine slayer victoria enjoy
76 corvette angels scott asdfgh girl
77 bigdog fishing 2222 vagina apollo
78 cheese david asdf toyota parker
79 matthew maddog video travis qwert
80 121212 hooters london hotdog time
81 patrick wilson 7777 paris sydney
82 martin butthead marlboro rock women

-Page 29 of 33 -
83 freedom dennis srinivas xxxx voodoo
84 ginger fucking internet extreme magnum
85 blowjob captain action redskins juice
86 nicole bigdick carter erotic abgrtyu
87 sparky chester jasper dirty 777777
88 yellow smokey monster ford dreams
89 camaro xavier teresa freddy maxwell
90 secret steven jeremy arsenal music
91 dick viking 11111111 access14 rush2112
92 falcon snoopy bill wolf russia
93 taylor blue crystal nipple scorpion
94 111111 eagles peter iloveyou rebecca
95 131313 winner pussies alex tester
96 123123 samantha cock florida mistress
97 bitch house beer eric phantom
98 hello miller rocket legend billy
99 scooter flower theman movie 6666
100 please jack oliver success albert

Recommendations
Recommendations
Why I think YOU should use an automatic solution to
stay safe & protected

Ten years ago we should have visited a handful of websites and would have call it a day…

Right?

Maybe not quite, but close enough…

Nowadays we have hundreds of websites asking us to login. Things changed


dramatically.

It‟s not going to get better, but worse. We will soon have to login to thousands of
websites – it‟s just natural.

-Page 30 of 33 -
And if I did my job at least half right, by now you must have seen the obvious solution:

We need different passwords on each of these websites, or else we risk to have our
online identities stolen from us and used for God knows what criminal activities.

You may choose to use anything, from a slip of paper to a notebook to keep your login
credentials in handwritten form (very unsecure) or even some kind of electronic
solution, like creating a file on your computer with all the passwords in it.

However, you will have to keep them close at hand and I can imagine you…
… licking a finger and turning the pages of the notebook, to find
that tricky record that just doesn‟t want to surface right now…
Well… do what you have to do.

I will stick with what is one of the BEST solutions available.


 Password manager
 Form filler
 Phishing Guard
 All-In-One

While there is a PRO paid version of it that I‟m using every day … you don‟t have to pay
anything if you don‟t want to.

It comes in a free (limited) version.

I have chosen the paid one to have access to even greater features and extended
capabilities, especially on the side of form filling and mobile usage (you can use it even
from a mobile phone or an USB stick – cute, huh?)

However, the free version will basically cover all the needs you have related to the
dangers depicted in this report.

RoboForm >> FREE Download << RoboForm


RoboForm

-Page 31 of 33 -
A recommended solution: RoboForm Password Manager
& Automatic Form Filler

-Page 32 of 33 -
The sources
Sources Used To Assemble This
Report
Use for reference and further research
 Bruce Schneier on Security Blog
 Jimmy Ruska‟s Blog
 Stuart Brown‟s Modern Life Blog
 Robert Graham on Dark Reading Blog
 John Leyden on The Register Blog
 Bogdan Calin on Acunetix Blog
 Dmitry Evteev on PT Research Blog
 admin (sic!) on WhatsMyPass Blog
 WikiPedia The Free Encyclopedia on Letter Frequency

-Page 33 of 33 -