So, the NCSC has been running a study on the prevalence of the ‘Top 1000 Passwords’. It’s useful stuff, but I wondered – just how frequent are these passwords? How can they know? Where did this list come from?
I noticed, for example, that the list included baseball, which I gather is a degenerate form of rounders. It’s certainly not what I’d expect on a UK-centric list of passwords. Similarly, chicago, and redsox were unlikely. (There are, however, cricket and wanker, so it isn’t an entirely Americanised list).
I also noticed some passwords – like rasdzv3 – that I couldn’t see any obvious reason for being particularly popular.
Anyway – I wondered – how frequent are these? What was the most frequent? Enter Troy Hunt’s api.pwnedpasswords.com. The latest version of the API (now with k-Anonymity) lets you see how many times a particular hash has appeared in breaches.
I did what any responsible dev would do when curious, and wrote a script over lunchtime to find out. I took each of the 1000 top passwords, queried pwnedpassword.com (thank you Troy and Cloudflare), and recorded the count it returned.
The NCSC Results are here.
So, there are some pretty rare passwords in there. Those are unimpressive scores. I do note that there seems to be a pattern amongst some of these passwords of “take a word and remove its last letter”. I doubt that’s adequate.
Anyway, the most popular 15 are:
Interesting. Scary. Terrifying, in fact. These are mostly pretty simple patterns. And seriously, what systems accept 0 as a password? I’m hoping that some of this is test data polluting live systems, ‘cos that’s over 7-million hits on 123456789. Craazzyy.
I drew up a graph of the password rank (highest on the left) against the number of hits. I adjusted the y-axis ‘cos the top few hits are so frequent.
So, quite a long tail. I think I ought to be able to beat at least some of that.
As an aside, looking at the list of Top Passwords – if you’re choosing your password based on:
- your genitals
- someone else’s genitals
- what you’d like to do with genitals (yours or someone else’s)
- the size of genitals
… then you need to think hard about choosing a different password. Similarly true for:
- ‘Sneaky keyboard patterns’ (like 123123123)
- sports teams
- people’s forenames
- geographical locations
Anyway, next up – can I find more popular passwords? I was struck by the dearth of film and TV references, so I made my own list. It’s only 68 terms. And I didn’t do any fuzzing (though I did do ‘correct’ and lower-case for each (so 136 records).
Here’s my results.
So, my top result was black, but that actually was in the NCSC’s top 1000 (see the red crosses). My top result that wasn’t was potter (which is slightly more popular than mercury and ncc1701 in the top 1000. My kind of geeks) at position 644.
What does this show?
- Well, I was a bit surprised that the Top 1000 list actually held up pretty well. There definitely are some weaker passwords in it – I’d consider trying to replace the bottom 50 – but it is difficult to get a feel for what passwords people actually use. I mean, that’s kind of the point, right? Certainly, if you just wanted to blacklist these, that’d be a reasonable start to improving passwords.
- It seems that passwords that don’t use upper case a surprisingly popular. I hate to say it, but the ‘Must include a capital’ rule might be on to something.
- I may be a bit too geeky in my TV habits.
- The pwnedpasswords API is awesome ,but…
- I’d love to know what the most frequent plaintexts on it are. (I don’t think that’s possible, but wouldn’t it be fascinating?)
And my search for an authoritative source of most used passwords shall continue…
3 thoughts on “A brief analysis of the NCSC’s “Top 1000 Passwords” list”
rasdzv3 are Russian count – raz=one, dva=two, and obviously 3, guess this makes it easy to remember 🙂
Brilliant, thanks! That’s a good thing to consider – people choose bad passwords in any language! https://www.zdnet.com/article/the-reason-why-ji32k7au4a83-is-a-common-password/
How many instances of “b” 😉