We would like to present some statistics based on our current finds of roughly 11.7 million passwords. Firstly, we would like to state that we are predominantly targeting a 15 million subset of the 36 million potential passwords. Secondly, bear in mind that we still haven't cracked about 4 million tokens, all of which could affect the findings presented here.
Total password entries = 11,716,208Total unique password entries = 4,867,246
The majority of passwords that we have cracked so far appear to be quite simple, either being lowercase with numbers or just lowercase. We also observed some UTF-8 encoded passwords. Passwords containing purely numbers also appear to be relatively popular. Note that we crack passwords in gradual increasing complexity, so it is normal that we have recovered most of the simpler ones first.
The shortest password we cracked had a character length of 1 (length 1), while the longest was length 28. We normally would expect to see more length 7 characters, but as evident from the above results, this was not the case. It is possible that there were fewer length 7 passwords compared to length 6 and 8 because we covered larger bruteforce attacks for the length 6 keyspace. We also observed some extremely long passwords, some of which were caused by users using either their email address or their lengthy usernames as their password.
Going beyond the 15 million vulnerable hashes and another interesting find
User data as passwords
We were curious as to how many users use their username as their password. A full run against all 36 million users was conducted in parallel and we discovered that there were over 630,000 matches. We tried each username against its corresponding bcrypt hash and performed some simple case toggling. This number shows that even without using the discoveries outlined in our previous blog post, more than 630,000 bcrypt hashes could have been easily recovered. We would like to note that this search was not exhaustive, as we only tried common case mutations. We suspect that this figure would have been higher if we had tried more upper and lower case combinations, though this would have taken much longer. It is also worth noting that a similar approach can be tried, but using the email address or other user data.
Our very brief analysis of the passwords suggests that the possible ‘suspicious’ accounts used the following passwords:
Top Interesting passwords
Rather than bore everyone with the standard top 10/50/100 lists, one of our members has kindly put together a top interesting passwords classified by various categories purely for your entertainment.
Those that think adding a few more words to the word password makes it harder to crack:
Those that are having doubts about using the site:
Those that are in denial:
Those who think this is a dating site:
Those who trusted AM:
Passwords from xkcd (https://xkcd.com/936/):
Those that might have figured out what AM is doing:
A package has been sent out to the press containing all the statistical analysis and data derived from the cracked passwords. If you are affiliated with the media, reporting on this story or related stories and wish to acquire these statistics, then please email us.
#FOLLOW_US #JOIN_US #LOVE_US #HATE_US #CONTACT_US @CynoPrime
Blog: cynosureprime.blogspot.comEmail: firstname.lastname@example.org