How you can hack into 5500 accounts… simply utilizing “credential stuffing” – Bare Safety

All of us must know by now that passwords which might be straightforward to guess will get guessed.

We not too long ago reminded ourselves of that by guessing, by hand, 17 of the highest 20 passwords within the Have I Been Pwned (HIBP) Pwned Passwords database in beneath two minutes.

We tried the ten all-digit sequences 1, 12, 123 and so forth as much as 1234567890, and eight of them have been within the high 20.

Then we tried different apparent digit combos akin to 000000, 111111 and 123123 (we began with six digits as a result of that’s Apple’s present minimal size, and since we famous that 123456 got here out properly forward of 12345 and 1234).

The others have been equally straightforward: qwerty, password, abc123, password1, iloveyou and qwertyuiop, the final being a helpful reminder that size alone counts for little or no.

Rank  Password    SHA-1 Hash                                Appearances
----  ----------  ----------------------------------------  -----------
  1:  123456      7C4A8D09CA3762AF61E59520943DC26494F8941B   24,230,577
  2:  123456789   F7C3BC1D808E04732ADF679965CCC34CA7AE3441    8,012,567
  3:  qwerty      B1B3773A05C0ED0176787A4F1574FF0075F7521E    3,993,346
  4:  password    5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8    3,861,493
  5:  111111      3D4F2BF07DC1BE38B20CD6E46949A1071F9D0E3D    3,184,337
  6:  12345678    7C222FB2927D828AF22F592134E8932480637C0D    3,026,692
  7:  abc123      6367C48DD193D56EA7B0BAAD25B19455E529F5EE    2,897,638
  8:  1234567     20EABE5D64B0E216796E834F52D61FD0B70332FC    2,562,301
  9:  12345       8CB2237D0679CA88DB6464EAC60DA96345513964    2,493,390
 10:  password1   E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D    2,427,158
 11:  1234567890  01B307ACBA4F54F55AAFC33BB06BBBF6CA803E9A    2,293,209
 12:  123123      601F1889667EFAEBB33B8C12572835DA3F027F78    2,279,322
 13:  000000      C984AED014AEC7623A54F0591DA07A85FD4B762D    1,992,207
 14:  iloveyou    EE8D8728F435FD550F83852AABAB5234CE1DA528    1,655,692
 15:  1234        7110EDA4D09E062AA5E4A390B0A572AC0D2C0220    1,371,079
 16:  - - - - -   B80A9AED8AF17118E51D4D0C2D7872AE26E2109E    1,205,102
 17:  qwertyuiop  B0399D2029F64D445BD131FFAA399A42D2F8E7DC    1,117,379
 18:  123         40BD001563085FC35165329EA1FF5C5ECBDBBEEF    1,078,184
 19:  - - - - -   AB87D24BDC7452E55738DEB5F868E1F16DEA5ACE    1,000,081
 20:  - - - - -   AF8978B1797B72ACFFF9595A5A2A373EC3D9106D      994,142

We did get the opposite three passwords in a while after a bit extra work.

One was the apparent sample 1q2w3e4r5t – we initially gave up making an attempt at 1q2w3e4r, however ought to clearly have thought to go additional, on condition that two different 10-character keyboard patterns had already confirmed up in our record.

And we must always have thought to strive the Chinese language zodiac, which might have revealed the 6-letter passwords monkey and dragon, which completed off the record at #19 and #20 respectively. (Due to the Bare Safety readers who wrote in to inform us!)

As you possibly can see above, these passwords didn’t simply present up as soon as every within the many public password dumps that have been discovered and processed by HIBP, however actually tens of millions of instances, with 123456 on the high with greater than 24 million appearances, and dragon on the backside with 994,142.

So we have to select higher passwords, and whereas 99pass!!word45 might be nearly secure sufficient (however don’t use it – you possibly can simply do higher!), a very long-and-strong string akin to yjCMth15S­U,atTWT? is the kind of password you must be aiming at.

In case you’re questioning, that’s a mnemonic password that you could recall with the phrase “You simply can’t make these things up, ain’t that the entire fact?”.