Last updated at Mon, 11 Dec 2023 17:47:41 GMT

I’m always open to suggestions for new things to research with regard to the passwords we’ve cracked, and this one came from my Rapid7 colleague Aaron Herndon. He has noticed on his penetration testing service engagements that some clients have changed their domain password policy’s minimum length to be 12 characters, instead of the eight we more commonly see. He wanted to know what passwords look like when they are 12 characters or longer.

On penetration tests, the three most common passwords are a variation of company name, the season/year, and a variation of “password.” But what happens if we lengthen the password requirement?

The answer is a little bit, but not much.

Finding the top 10 most common passwords

I ran through all the cracked password lists and extracted those that were at least 12 characters long. The result was a total of 37,888 passwords. Of those, 31,029 were unique.

Next, I used Pipal, a password-analyzing tool, to find the 10 most common passwords. The results were interesting: Two out of the three most common passwords still existed!

Here are the top 10 most common passwords, with an “X” replacing characters in a company name and matching case:

  1. Xxxxxxxxx001 (1,198)
  2. Greatplace2work (149)
  3. Password123! (131)
  4. XXXX12345678 (96)
  5. Hairdresser1 (84)
  6. Xxxxxxxxx002 (79)
  7. 1qa2ws3ed4rf (73)
  8. Xxxxxxxxxx01 (57)
  9. Hairdresser1! (57)
  10. Diciembre@2017 (55)

The No. 1 and No. 6 passwords were from the same company and had the same value under the Xs: the company name. These went from a “001” to a “002”. It is possible that the “001” value was the default password new accounts received, then users bumped up the value. To test this theory, I searched the list for additional increments and sure enough, the same company had 11 instances of “003”, six instances of “004”, seven instances of “005”, and four instances of “006”. Apparently only three have gotten to the James Bond level, with “007” appended.

The third most common password was “Password,” but with a variation to meet the longer password requirement: adding the “123!”. The fifth and ninth most common came from a company that was likely involved with hair care.

If the seventh most common password doesn’t immediately stand out and appears random, it’s actually not. This is what is referred to as a “keyboard walk.” This means people are using keys next to each other in the keyboard, which makes the password appear random but is easier for them to remember.

Look at the keyboard and start with the “1,” then look down. You’ll see the pattern. The “q” and “a” keys are under the “1.” The “w” and “s” keys are under the “2,” the “e” and “d” keys are under the “3,” and the “r” and “f” keys are under the “4.” This is a common pattern we see, along with additional keyboard walks such as “asdfjkl;” or “asdfghjkl;”.

Sticking to the minimum

When we analyze sets of cracked passwords, we notice that the most common password length is very often the minimum required length. Not only that, but the minimum length occurs in more than half of the cracked passwords. When analyzing our 12-character data set, we see the same result:

  • 12 characters (56.02%)
  • 13 characters (23.61%)
  • 14 characters (11.62%
  • 15 characters (4.47%)
  • 16 characters (2.54%)

The rest drift off into fractions of a percent, but the point is the majority of people will meet exactly the minimum requirement.

Digging into character position

Next, I looked at the patterns we see with regard to character position. In a prior blog post around password security best practices, I noted that we commonly see the first character is an uppercase letter followed by a number of lowercase letters, then two or four digits as the final characters. When looking at our current data set, we can see these patterns have not changed. The following are the top three patterns found:

  1. u-l-l-l-l-l-l-l-d-d-d-d: (7.13%)
  2. u-l-l-l-l-l-l-l-l-d-d-d: (5.36%)
  3. u-l-l-l-l-l-l-l-l-l-d-d: (3.63%)

The pattern holds up, exactly as we’ve seen before. People are still using an uppercase letter for their first character, then a series of lowercase letters, then finishing with a number of digits. These are commonly either the two- or four-digit year, or simply “123”.

Seasonality stands

So, to answer Aaron’s question, not much changes. We still see that people use their company’s name and a variation of “password.” The only thing that didn’t jump into our top 10 was the season/year, likely because these passwords weren’t long enough or had a lot of variations. Just to see the seasonal counts, I did a case-sensitive search for each of the seasons and found the following:

  • Winter (157 results)
  • Summer (153 results)
  • Spring (97 results)
  • Fall (27 results)

Most of these matched what we’ve seen before (i.e., Winter2018) but added extra characters such as two exclamation marks at the end to meet the minimum length requirement. They’re not in the top 10 above, as there were variations with years, case, and the extra characters added.

The takeaway

If at this point you’re frustrated because you’ve been told that longer passwords are stronger and this research is showing that people are simply following their old habits, please rest assured that longer passwords are still stronger. At this point in the project, I’ve been able to perform password cracking on more than 50 different hashfiles. While this may not be a very statistically significant number, I am noticing a trend in the results simply based on minimum password length. If the company’s policy is set to the minimum required length of eight characters, cracking more than 60% of the entire hashfile is very common. Once that minimum length reaches even 10 characters, my success level drops in half to around 30%.

This may change with time and experience in finding new techniques for password cracking, but so far, these numbers have been the trend. So, my recommendation would still be to require longer passwords and disallow the common passwords seen here.