I love taking a look at dumped passwords and analyzing them with Pipal by DigiNinja. Pipal is a great analytical program that takes a password dump and looks for patterns, including password lengths and complexities. I have always liked statistics and you can learn a lot from running passwords through Pipal.
I took a quick look at Pastebin and found that Stefan Venken (@StefanVenken) had already taken almost a million and a half of the LinkedIn passwords and analyzed them with Pipal. Here are some of the more interesting results:
Password length (length ordered)
6 = 281193 (20.75%)
7 = 211946 (15.64%)
8 = 444338 (32.79%)
From this portion of cracked passwords, on average 8 character passwords were the most commonly used. 444,338 users chose passwords that were 8 characters long.
In fact, a whopping 69% of the passwords that were cracked were 8 characters, or less…
30% of the cracked passwords only used lowercase letters. While 45% of the passwords contained just lowercase letters and numbers. And from the statistics, it looks like almost all of these were in the format of lowercase letters followed by one or more numbers, with the numbers always being at the end.
Overall, only 1% of the users used passwords that were made up of mixed case letters, numbers and symbols…
And according to an article on Arstechnica, all of the normal bad passwords were present, including:
And of course, linkedin
People put a lot of personal information out on LinkedIn. Many do so in looking for a new job or business opportunities. Users post their education and job experience along with the groups that they belong to. A treasure trove of information to Social Engineers. It would seem that of all the online social sites, users would really choose a long complex password to secure their account on LinkedIn.
But as every one of the top bad passwords of 2011 were found in the dump it truly makes one wonder – What in the world is people’s fascination with the password “monkey”???