Analysis of a leaked password list from a Romanian Site
The password list was leaked trough a Google hack (i.e. the information was publicly available).
The site is a Romanian fun/jokes/images site of questionable nature which is reflected (IMHO) in the target audience.
The original leaked corpus contained Name, Email address, Password, Date and IP address.
I will make the anonymized data available as soon as the site owners manage to plug the hole (they have been notified).
The following data has been applied on the data (all using SQLite)
- Lines with duplicate email addresses have been removed. This reduced the corpus from 39511 to 25650 records (there is more duplication than I expected, I am looking into this issue)
- The accounts were registered between 11/22/03 and 08/27/10 (today) assuming that the server date was correct all times
- Most common 50 passwords only cover 15.8% of the total passwords. This means that in 50 tries you have a 1 in 6.3 chance of getting the password right. Here are the 50 most common passwords:
| Password | Occurance | Explanation |
|---|---|---|
| 123456 | 719 | |
| parola | 259 | password in Romanian |
| 1234 | 189 | |
| andrei | 140 | male name |
| 12345 | 133 | |
| steaua | 130 | Romanian football team |
| dinamo | 125 | rival Romanian footaball team |
| <SITE NAME> | 104 | |
| qwerty | 100 | |
| 0 | 97 | |
| 12345678 | 87 | |
| 123456789 | 87 | |
| 111111 | 84 | |
| catalin | 77 | male name |
| adrian | 71 | male name |
| alexandru | 69 | male name |
| daniel | 67 | male name |
| bogdan | 64 | male name |
| marius | 63 | male name |
| mihaela | 61 | female name |
| teiubesc | 56 | iloveyou in Romanian |
| mihai | 55 | male name |
| andreea | 54 | female name |
| password | 54 | |
| cristina | 53 | female name |
| george | 53 | male name |
| 123 | 51 | |
| florin | 51 | male name |
| raluca | 50 | female name |
| muie | 49 | Explicit word in Romanian |
| alex | 47 | male name |
| alexandra | 47 | female name |
| 1234567 | 46 | |
| cristi | 46 | male name |
| gabriel | 44 | male name |
| romania | 44 | |
| cristian | 43 | male name |
| ovidiu | 43 | male name |
| anamaria | 41 | female name |
| iubire | 41 | love in Romanian |
| bucuresti | 40 | Bucharest in Romanian |
| qazwsx | 40 | QWERTY keyboard combination |
| iulian | 37 | male name |
| simona | 37 | female name |
| vasile | 37 | male name |
| gigi | 36 | male name |
| madalina | 36 | female name |
| ramona | 36 | female name |
| razvan | 36 | male name |
| 666666 | 35 |
From here on the analysis is made on a subset of the data of 18558 records. Apparently there was some change in the table structure and the rest of the records lack certain information.
- The average password length is 6.7491 characters with the longest password being 10 characters. Only about 11% of passwords are less than 5 characters (although, arguably most passwords are dictionary words) . Password distribution is:
| Length | Number of records |
|---|---|
| 1 | 35 |
| 2 | 72 |
| 3 | 385 |
| 4 | 1613 |
| 5 | 1348 |
| 6 | 5907 |
| 7 | 2785 |
| 8 | 3469 |
| 9 | 1405 |
| 10 | 1539 |
- Could we argue that the average user got slightly more security conscious over the past years? The average password length by year is:
| Year | Number of records | Average password length |
|---|---|---|
| 2003 | 1847 | 6.8012 |
| 2004 | 12528 | 6.7129 |
| 2005 | 2185 | 6.7295 |
| 2006 | 627 | 6.7878 |
| 2007 | 1216 | 7.0312 |
| 2008 | 0 | data missing |
| 2009 | 0 | data missing |
| 2010 | 114 | 7.1754 |
- Let's see if passwords got more complex:
| Year | Passwords with uppercase | Passwords with numbers | Passwords with symbols |
|---|---|---|---|
| 2003 | 2.8% | ||
| 2004 | 2.6% | ||
| 2005 | 2.7% | ||
| 2006 | 2.5% | ||
| 2007 | 3.5% | ||
| 2010 | 6.1% |
CategorySecurity
CategoryDraft
[Add comment]