As 2019 (and indeed the decade) finally draws to a close, the inevitable effervescing stream of digital marketing and ecommerce “round up” posts surface online once more. As I look forward to 2020 and blogging again a little bit more frequently, I thought hey, why not jump on the bandwagon and do a little bit of a piece myself.
The background
In a former life, I ran a little emulation site dedicated to retro gaming consoles (Nintendo, Sega, Atari, you get the idea). The site ran from 2006 to 2013 (yes admittedly, only a little bit into the last decade) and every user on the site had to create an account, including a password.
At the time of closure (all good things must come to an end), the site had over 446,000 members making this a reasonable sample size. Other than a minimum length of 6 characters, there were no password format requirements.
The site was never hacked (the joys of a secure written-from-scratch codebase), meaning this data has never appeared on any similar posts which typically reference collated lists of hacked account data. The user base was predominantly English speaking (the majority from the USA, but a good chunk from the UK also, and so on).
The methodology
I temporarily reinstated the last copy of the database before the site closed and extracted the most popular passwords via a MySQL query. The passwords were MD5 hashed (not exactly secure I know), so I plugged these into this handy online MD5 tool to convert into the original plain text password.
I excluded one password that directly referenced the name of the site and it’s also worth noting that some of the passwords will, as you’d expect, reference retro gaming given the nature of the site in question.
The results
From 446,708 user accounts, 303,559 (68%) had unique passwords that only appeared once in the database. 32% of users therefore shared a password with at least one other user on the site. The top 50 most popular passwords for users of the site are listed below:
| Rank | Password | % |
| 1 | 123456 | 0.080 |
| 2 | password | 0.046 |
| 3 | qwerty | 0.020 |
| 4 | dragon | 0.017 |
| 5 | 123456789 | 0.016 |
| 6 | 12345 | 0.015 |
| 7 | shadow | 0.015 |
| 8 | pokemon | 0.013 |
| 9 | abc123 | 0.012 |
| 10 | nintendo | 0.012 |
| 11 | 123123 | 0.009 |
| 12 | 12345678 | 0.009 |
| 13 | killer | 0.008 |
| 14 | cheese | 0.008 |
| 15 | 111111 | 0.008 |
| 16 | monkey | 0.008 |
| 17 | computer | 0.007 |
| 18 | superman | 0.006 |
| 19 | slipknot | 0.006 |
| 20 | football | 0.006 |
| 21 | batman | 0.005 |
| 22 | master | 0.005 |
| 23 | fuckyou | 0.005 |
| 24 | megaman | 0.005 |
| 25 | soccer | 0.005 |
| 26 | metallica | 0.005 |
| 27 | 000000 | 0.005 |
| 28 | inuyasha | 0.005 |
| 29 | naruto | 0.005 |
| 30 | chicken | 0.005 |
| 31 | hunter | 0.005 |
| 32 | baseball | 0.005 |
| 33 | starwars | 0.004 |
| 34 | daniel | 0.004 |
| 35 | 1234567 | 0.004 |
| 36 | password1 | 0.004 |
| 37 | michael | 0.004 |
| 38 | jordan | 0.004 |
| 39 | diablo | 0.004 |
| 40 | fuckoff | 0.004 |
| 41 | xbox360 | 0.004 |
| 42 | slayer | 0.004 |
| 43 | matrix | 0.004 |
| 44 | blink182 | 0.004 |
| 45 | thomas | 0.004 |
| 46 | aaaaaa | 0.004 |
| 47 | andrew | 0.004 |
| 48 | poopoo | 0.004 |
| 49 | vegeta | 0.003 |
| 50 | asdfasdf | 0.003 |
If you are using one of the above passwords for anything important, I’d suggest now is probably a very good time to consider changing it 🙂
So there we go, that’s pretty much it for my first real blog post for many years. Be sure to check back in 2020 for some slightly more useful content (hopefully).
0 Comments