As 2019 (and indeed the decade) finally draws to a close, the inevitable effervescing stream of digital marketing and ecommerce “round up” posts surface online once more. As I look forward to 2020 and blogging again a little bit more frequently, I thought hey, why not jump on the bandwagon and do a little bit of a piece myself.

The background

In a former life, I ran a little emulation site dedicated to retro gaming consoles (Nintendo, Sega, Atari, you get the idea). The site ran from 2006 to 2013 (yes admittedly, only a little bit into the last decade) and every user on the site had to create an account, including a password.

At the time of closure (all good things must come to an end), the site had over 446,000 members making this a reasonable sample size. Other than a minimum length of 6 characters, there were no password format requirements.

The site was never hacked (the joys of a secure written-from-scratch codebase), meaning this data has never appeared on any similar posts which typically reference collated lists of hacked account data. The user base was predominantly English speaking (the majority from the USA, but a good chunk from the UK also, and so on).

The methodology

I temporarily reinstated the last copy of the database before the site closed and extracted the most popular passwords via a MySQL query. The passwords were MD5 hashed (not exactly secure I know), so I plugged these into this handy online MD5 tool to convert into the original plain text password.

I excluded one password that directly referenced the name of the site and it’s also worth noting that some of the passwords will, as you’d expect, reference retro gaming given the nature of the site in question.

The results

From 446,708 user accounts, 303,559 (68%) had unique passwords that only appeared once in the database. 32% of users therefore shared a password with at least one other user on the site. The top 50 most popular passwords for users of the site are listed below:

RankPassword%
11234560.080
2password0.046
3qwerty0.020
4dragon0.017
51234567890.016
6123450.015
7shadow0.015
8pokemon0.013
9abc1230.012
10nintendo0.012
111231230.009
12123456780.009
13killer0.008
14cheese0.008
151111110.008
16monkey0.008
17computer0.007
18superman0.006
19slipknot0.006
20football0.006
21batman0.005
22master0.005
23fuckyou0.005
24megaman0.005
25soccer0.005
26metallica0.005
270000000.005
28inuyasha0.005
29naruto0.005
30chicken0.005
31hunter0.005
32baseball0.005
33starwars0.004
34daniel0.004
3512345670.004
36password10.004
37michael0.004
38jordan0.004
39diablo0.004
40fuckoff0.004
41xbox3600.004
42slayer0.004
43matrix0.004
44blink1820.004
45thomas0.004
46aaaaaa0.004
47andrew0.004
48poopoo0.004
49vegeta0.003
50asdfasdf0.003

If you are using one of the above passwords for anything important, I’d suggest now is probably a very good time to consider changing it 🙂

So there we go, that’s pretty much it for my first real blog post for many years. Be sure to check back in 2020 for some slightly more useful content (hopefully).

Categories: Blog Posts

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *