In the digital age, passwords serve as the gatekeepers to our virtual lives, safeguarding everything from personal correspondence to financial information. This article provides a detailed exploration of password patterns, incorporating extensive statistics, examples, and insights to paint a full picture of current trends and their implications for security.
This is the part 1 of the article, a research work based on the compilation of various research data I found on the internet. The next, part 2, of the article will be written later and include data based on my own research analysis of leaked password datasets.
Sequential Simplicity
- Example: “123456”, “abcdef”, “123456789”
- Prevalence: A study by the National Cyber Security Centre (NCSC) in the UK found that “123456” appeared in more than 23 million passwords leaked in data breaches. This sequence, along with its close relatives “123456789” and “12345”, demonstrates our gravitation towards simplicity at the expense of security.
Calendar-Based Choices
- Example: “Sarah1992”, “Grad2008”, “Sarah02121988”
- Prevalence: Roughly 10% of all passwords, often incorporating significant personal or historical dates. Those can be birthdates, anniversaries, graduation dates, etc. The preference for date-based passwords underscores the challenge of creating something both memorable and secure.
Names and Familiar Terms
- Example: “Charlie123”, “Manchester8”, “ashley”, “michael”, “Tiffany”, “Charlie”, “Jordan”, “eva”, “alex”, “anna”, “max”, “leo”, “jack”, “ryan”
- Prevalence: Around 15% of all passwords analyzed incorporate a name, suggesting a deep-rooted inclination to tie our security to our personal lives. The NCSC’s report highlights “ashley” and “michael” among the top 50 passwords, illustrating this trend. The recent Nordost research indicates some of the most popular names in use, especially among executives, are: “Tiffany,” “Charlie,” “Michael,” and “Jordan”.
The stats below show the use of most popular names in password breaches from Nordost study:
The stats based on research by PrivacyCrypts regarding first names in passwords:
In addition, approximately 4.19% of worldwide users incorporate their first name in their passwords. This is a common practice across various countries, with specific percentages noted for Italians (4.13%), Russians (3.79%), and Germans (2.51%) (PrivacyCrypts).
Password Suffixes, Numeric Add-ons and Patterned Numbers
- Example: “Password1”, “hunter2”, “Shadow2023”, “Dragon2024”, “[Username]123”, “alex2010”, “Daniel1987”
- Prevalence: Surveys and analyses of breached password datasets reveal that adding simple numbers at the end of passwords is incredibly common, with estimates suggesting that around 30-40% of all passwords include this practice to some degree; “1” is notably common.
- Specific Add-ons: The number “1” is particularly prevalent, appearing in approximately 15-20% of passwords that include numeric add-ons. Sequences like “123” are also widespread, used in around 10-15% of such cases. Other common numeric suffixes are: 12, 2, 11, 01, 13.
- Non-Numeric Add-ons: Some of the most common password suffixes which are not numbers: s, !, e, er, ., y,
Here is the more general picture of the most common password suffixes from credential leaks (source: https://github.com/hypn/common_password_prefixes_and_suffixes):
Xato | rockyou.txt | matrix | dropbox | collection1-6 |
Perhaps less common but also prevalent are adding birth years, birth moth and age as numerical suffixes. Below chart by PrivacyCrypts display some of those stats:
Employer’s Name in Passwords: A Common Corporate Pattern
- Example: “[CompanyName]123”, “[CompanyName]1”, 2024[CompanyName], [CompanyName], [CompanyName]12
- Prevalence: According to various data/research, from 20 to 37% of US employees use their employer’s name in work-related passwords (Exploding Topics).
Password Lengths Patterns
The length of a password is one of the most straightforward yet impactful factors in its overall security. And here we got patterns too.
- General Password Lengths: Research and analysis of leaked password databases reveal that a significant portion of users still opts for the minimum required length. Approximately 50-60% of passwords are only 8-10 characters long, which often aligns with the minimum length requirements on many platforms.
- Optimal Lengths: Security experts widely recommend passwords to be at least 12-16 characters long for enhanced security. However, only about 10-15% of users adhere to this recommendation, underscoring a gap in adopting best practices.
- Extended Lengths: Passwords exceeding 16 characters are less common, comprising about 5% of passwords. These are typically generated by individuals using password managers or by users who are particularly security-conscious.
Length of Password Suffixes:
- Usage Rates: Approximately 30-40% of passwords incorporate character suffixes to some extent, reflecting a balance between enhancing security and maintaining memorability.
- Length Distribution:
- 1-2 Characters: About 40% of passwords with character suffixes opt for minimal length, adding only 1 or 2 characters, such as “password1!” or “user#”.
- 3-4 Characters: Around 35% extend the suffix length to 3-4 characters, providing a slightly higher security level with combinations like “site2020!” or “login*123”.
- 5-6 Characters: Roughly 15% of such passwords employ longer suffixes of 5-6 characters, incorporating more complex sequences or patterns, e.g., “secure$45T” or “entry_2021!”.
- More than 6 Characters: A smaller fraction, approximately 10%, use even longer suffixes, which often include a mix of numbers, symbols, and case-sensitive letters, indicating a stronger focus on security.
Keyboard Patterns
- Example: “qwerty”, “1qaz2wsx”
- Prevalence: Account for approximately 8-10% of passwords, showcasing a mix of creativity and predictability. Surprisingly, patterns based on keyboard layouts, such as “qwerty” or “1qaz2wsx”, are quite common. In certain datasets they make up around 8-10% of all passwords . Their popularity underlines the challenge of devising complex passwords that are also easy to remember.
Seasonal and Temporal Influences
- Example: “Winter2021!”, “NewYear2022”, “Summer2023”, “Autumn2022!”, “Winter2024”
- Prevalence: Seasonal references appear in approximately 7% of passwords, often updated yearly to reflect recent events or periods. They are also especially common in corporate environments.
Pop Culture References
- Example: “StarWars1977”, “Tolkien*Ring”, “Batman2020!”, “Liverpool#1”
- Prevalence: Analysis indicates that upwards of 10% of passwords derive from popular culture, including names of sports teams, movie titles, and characters from television shows.
Personal Interests / Hobbies
- Example: “Guitar_hero”, “Runner5k!”
- Prevalence: Around 5% of passwords hint at the user’s hobbies or interests, such as “Guitar_hero” or “Runner5k!”. While these may be more unique than some other patterns, they still suffer from predictability if someone knows the individual well.
Event-Driven Passwords
- Example: “Covid19Pandemic”, “Election2020”, “Olympics2024”, “Brexit2021”
- Prevalence: Event-Driven Passwords capture moments in time that resonate on a global or cultural level. For instance, approximately 2% of passwords in recent datasets were influenced by the COVID-19 pandemic. Overall, analyses of leaked password databases suggest Event-Driven Passwords could constitute approximately 3-5% of all passwords.
Music Lyrics and Band Names in Passwords
- Example: “Nirvana1991”, “QueenRocks!”
- Prevalence: Music-related passwords are estimated to account for approximately 3% of passwords, especially among younger demographics.
Film and Literature References in Passwords
- Example: “DarthVader2024”, “Gatsby1925”
- Prevalence: It’s estimated that around 5% of passwords are inspired by film and literature references.
Purely Random Combinations
- Example: “Y&29!vT#4wq”
- Prevalence: Only 5-10% of passwords, often generated by password managers.
Advanced Patterns and Linguistic Creativity
- Example: Palindromes like “radar”, rhymes like “Time4Dime”
- Prevalence: Advanced patterns and creative linguistic constructs are used in less than 5% of passwords, reflecting a minority trend towards enhanced security.
Recent research by NordPass has shown that high-ranking business executives often use simple and easily guessable passwords. Common choices include sequences like “123456” and “password,” demonstrating a surprising lack of complexity even among those in top positions. Names are also a popular choice for passwords among executives, with “Tiffany,” “Charlie,” “Michael,” and “Jordan” being among the most used. This trend underscores the need for stronger password practices in the corporate world to mitigate the risk of data breaches. For more details, visit NordPass.
Additional Stat Data
12.04% of passwords contain special characters.
28.79% of passwords are letters only.
26.16% of passwords are lowercase only.
13.37% of passwords are numbers only.
34.41-40% of all passwords end with digits
4.522% of all passwords start with digits.
Most Common Passwords
Source: https://github.com/ignis-sec/Pwdb-Public
value|occurrence
123456|5365167
123456789|1962603
password|1155715
qwerty|869933
12345678|702094
12345|678025
123123|455957
111111|447887
1234|442902
1234567890|397290
1234567|390755
abc123|294245
1q2w3e4r5t|276112
q1w2e3r4t5y6|270438
iloveyou|261525
123|258718
000000|250001
123321|211418
1q2w3e4r|204915
qwertyuiop|200973
654321|193016
qwerty123|181233
1qaz2wsx3edc|175216
password1|171975
1qaz2wsx|164090
666666|162208
dragon|156127
ashley|149389
princess|146769
987654321|139225
123qwe|139089
159753|131766
monkey|125244
q1w2e3r4|125233
zxcvbnm|125148
123123123|122326
asdfghjkl|119543
pokemon|119064
football|117109
killer|116711
112233|116662
michael|116380
shadow|115689
121212|113099
daniel|112661
asdasd|112348
qazwsx|111373
1234qwer|110622
superman|110148
123456a|107675
azerty|107254
qwe123|107101
master|106104
7777777|105472
sunshine|105257
N0=Acc3ss|103260
1q2w3e|101368
abcd1234|99446
1234561|97151
computer|96230
fuckyou|93994
aaaaaa|93989
555555|90868
asdfgh|88974
asd123|87805
baseball|87022
0123456789|86742
charlie|85745
123654|85618
qwer1234|85578
naruto|83970
a123456|83920
jessica|83601
soccer|83279
jordan|82941
liverpool|82904
thomas|82850
lol123|81681
michelle|81230
123abc|80416
nicole|78525
11111111|77305
starwars|77208
samsung|76049
1111|75970
secret|75415
joshua|74487
123456789a|73467
andrew|72572
222222|72249
q1w2e3r4t5|72216
147258369|72098
hunter|71394
Password|71300
qazwsxedc|70646
lovely|70227
999999|70160
jennifer|69974
letmein|69537
tigger|69475