Crummy passwords from Yahoo users

The dump of 450,000 Yahoo passwords by a group calling itself "D33ds Company" has been analyzed by Anders Nilsson (apparently these passwords were stored in the clear). Here's the topline:

Total entries = 442773
Total unique entries = 342478

Top 10 passwords
123456 = 1666 (0.38%)
password = 780 (0.18%)
welcome = 436 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Top 10 base words
password = 1373 (0.31%)
welcome = 534 (0.12%)
qwerty = 464 (0.1%)
monkey = 430 (0.1%)
jesus = 429 (0.1%)
love = 421 (0.1%)
money = 407 (0.09%)
freedom = 385 (0.09%)
ninja = 380 (0.09%)
writer = 367 (0.08%)

Password length (length ordered)
1 = 117 (0.03%)
2 = 70 (0.02%)
3 = 302 (0.07%)
4 = 2748 (0.62%)
5 = 5323 (1.2%)
6 = 79610 (17.98%)
7 = 65598 (14.82%)
8 = 119125 (26.9%)
9 = 65955 (14.9%)
10 = 54756 (12.37%)
11 = 21219 (4.79%)
12 = 21728 (4.91%)

Statistics of the "450.000 leaked Yahoo accounts". (via Waxy)



  1.  “Password length (length ordered)

    1 = 117 (0.03%)

    2 = 70 (0.02%)

    3 = 302 (0.07%)”

    I’m seriously shocked and appalled that Yahoo! would even allow someone to register using a password that vulnerable.

  2. This isn’t really that bad, out of nearly 450,000 there seem to be less than 10,000 moronic passwords.  I would have guess it would be much worse than that.

    Clearly the biggest issue with internet security is not passwords, rather its that hackers keep stealing hundreds of thousands of passwords.    Someone in IT probably couldn’t remember all their incredibly complicated passwords and saved them all in a text file…..

  3. If I’m cracking in the field how can I remember all these common passwords. With this mnemonic device.

    My password? First I welcome a qwerty monkey to my home and ask, “Does Jesus love money, freedom, ninjas or writers?” Answer in 1,2,3,4,5,6,7,8,9. Come on Princess, while the sun is shining! It’s as easy as abc123.

    1. Here’s a better password!

      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race
      Heather Dorindens 600 meter race

    1. It doesn’t say that these are of current users. They could be accounts inactive since 2003. Maybe even YOUR old account!

    2. For me, not so much shocking (as in: you can only be shocked the first time you hear something) but exasperating — every time I get an e-mail from one of my two friends who don’t want to start over somewhere else. At least the chat situation isn’t too bad — thank you, Pidgin.

  4. I thought that this was a dump of just Yahoo Voice users’ passwords.  Is it ALL Yahoo users?  (Mr. Shibi’s Yahoo email addresses were compromised at about 3am this morning — and he is not a Yahoo Voice user, but this could be unrelated to that.)

      1. Not us.  I don’t know what it is.  I try to only go to reputable sites to look at reputable things like cats with poorly spelled captions or indifferent cats in awkward situations with naked folks.

    1. This does at least point at the bigger problem more than the few qwerty users out there.

      Why do we allow the discussion of security to be hijacked by this mocking of people we think are stupid?

      If you started logging into accounts by guessing the common stupid passwords, your rate of success would be well below 1%.  and the act of guessing on so many accounts would probably raise a red flag somewhere.  Meanwhile fishing and large scale theft are common and the reusing the same password everywhere seems to be the result of having ever increasing complexity and rotation of passwords

      1. Unfortunately, that is something it’s particularly hard to convince non tech-savvy people of. Most of my friends fall into that category, and trying to switch them to a solution as simple as, e.g, Keepass — of which there are versions for all major OSes — seems to be an impossible task.

  5. and yet my old Flickr password of 45rpm7″Single! is just as secure as “password” after Yahoo got hacked.

    1. Correct! I mean analyzing this is all very well and good, but these passwords weren’t obtained through brute force.  They were available in the clear. boo.
      I think email is pretty dumb anyway, but it seems to de rigur for provding an identity on the internet. I guess it’s better than facebook, but comeon people there has to be a better way!

  6. Yahoo!, that’s cute.
    I have 3 passwords of different levels of complexity I use from everywhere to photobucket, to amazon to my bank and 401k. I change them every 6 months. I know if I cant remember one, then it’s gotta be one of the three. :)

  7. I use my Yahoo email account for shopping, mailing lists, and anything else that’s likely to result in spam (because the spam filter is pretty good, and this keeps my personal email account from being overrun with less important stuff). So this is pretty annoying to me. How many more times does this have to happen before companies learn to lock that shit down?

    1.  Here are the counts for those as the entire password. (they do occur as part of a more complex password a lot, however)

           52 secret
           46 love
            3 god
            2 sex

  8. I always wonder why it is 123456 and not 12345 or 1234567 and why it is not 987654321 which is much easier to type for right hand people (with your left hand running over the keys and hit enter or click with right) than say 123456, the most common one. (And it is “saver” ;))

  9. where is this list of passwords?  I wanna ctrl-f it and see if I’m on it, but all google gives me is Ars Technica’s coverage and everyone else citing Ars, including BB’s first post.


    1. I was thinking the same thing; when it said in the Ars article that they were not posting the link but that, at the time of writing, it wasn’t too hard to find. I didn’t even bother to search, I went and changed my Yahoo password right away. I only use Yahoo for chat (with some people I can’t convince to switch) and I never used their voice service (not even sure if it’s available in Europe; probably not) but I though it wouldn’t hurt.

  10. I’d imagine a lot of the weak passwords come from people treating it as a throw away account.  I have tons of logins in places I don’t care about, usually registered so I could post a single comment on a webpage, that have a weak password that’s probably easy to hack.

  11. Fortunately, I couldn’t find CorrectHorseBatteryStaple on the list, so my password is safe for now.

  12.  i have a yahoo account with the password as “password.” I don’t use it except for when I don’t want to use my real email.

Comments are closed.