
"God, Sex, Love and Secret" or statistics on the use of passwords in social networks
Users do not like to strain and many developers come to terms with this. Remember the last 10 sites on which you registered, how many of them checked your password for complexity? But no matter what security measures the creators of the system come up with, they can be meaningless if the user himself facilitates the work of the attacker.
This article presents the result of the analysis of ~ 100,000 passwords. I hope this analysis will be interesting and useful to many people.
No, we do not store passwords in the clear, statistics were obtained during the experiment on one of the social networks, by anonymous data collection and alas, I can not post the resulting dictionary and name this network.
All passwords are checked according to the criteria for the presence of numbers, special characters, case and stability using cracklib methods .
The shortest password is 1 character, the longest is 63 characters.

Over 15 characters are completely irrelevant.
According to the results of the cracklib run, 35.5% of passwords turned out to be easily crackable

Specialist. characters - 3%
Only numbers - 33%
Only letters - 24.7%
Letter-numbers - 39.3%

91.5% - in lower case
3% - in upper case
5.5% - different case

Suppose a certain attacker has a database of 5 of the most common passwords and uses it to select all the accounts of your service. Top 5 passwords is a 2.9% chance of successful selection in 5 attempts, which is 290 people with a total of 10,000 users (such a small startup). Needless to say, these people will immediately lose both icq and mail ...

If we take into account all the common passwords (occurring more than 5 times), of which there are only 381, they allow you to access ~ 9.2% of accounts. Think about it, almost 10 of your users can be cracked by a tiny dictionary of less than 400 passwords.

The most delicious, alas, there are no clear-cut options like in the well-known film, everything is trivial, and most habra-people will not be surprised.

Users are idiots.
No password verification for complexity anywhere. The minimum set of rules that determine the length of the password, the presence of both letters and numbers, as well as a different register in it must be implemented in any form of registration (or better yet, generate a password for the user yourself). The form should have a threshold of attempts after which the user ceases to start without captcha (very, very complex captcha). My advice is to limit this number to three attempts. It is a good idea to add a counter of failed attempts to the user profile to further introduce a delay between login attempts for each account individually. Here it’s really worth remembering that a user can start to be informed so that he cannot log into the system, but the inaccessibility state is much better than the state of leakage of personal data.
I really hope that this information will help you make your services better and safer.
This article presents the result of the analysis of ~ 100,000 passwords. I hope this analysis will be interesting and useful to many people.
Small retreat
No, we do not store passwords in the clear, statistics were obtained during the experiment on one of the social networks, by anonymous data collection and alas, I can not post the resulting dictionary and name this network.
What was done
All passwords are checked according to the criteria for the presence of numbers, special characters, case and stability using cracklib methods .
Data
Length distribution
The shortest password is 1 character, the longest is 63 characters.

Over 15 characters are completely irrelevant.
Strong and simple passwords
According to the results of the cracklib run, 35.5% of passwords turned out to be easily crackable

The presence of special. characters, numbers and letters
Specialist. characters - 3%
Only numbers - 33%
Only letters - 24.7%
Letter-numbers - 39.3%

Register
91.5% - in lower case
3% - in upper case
5.5% - different case

Most popular passwords
What does this mean in reality
Suppose a certain attacker has a database of 5 of the most common passwords and uses it to select all the accounts of your service. Top 5 passwords is a 2.9% chance of successful selection in 5 attempts, which is 290 people with a total of 10,000 users (such a small startup). Needless to say, these people will immediately lose both icq and mail ...

If we take into account all the common passwords (occurring more than 5 times), of which there are only 381, they allow you to access ~ 9.2% of accounts. Think about it, almost 10 of your users can be cracked by a tiny dictionary of less than 400 passwords.

Top 10 Passwords
The most delicious, alas, there are no clear-cut options like in the well-known film, everything is trivial, and most habra-people will not be surprised.
- 1145 1234567
- 871 123456
- 332 7777777
- 303 password
- 292 12345
- 278 1111111
- 261 123456789
- 221 qwerty
- 216 111111
- 179 1234

conclusions
No password verification for complexity anywhere. The minimum set of rules that determine the length of the password, the presence of both letters and numbers, as well as a different register in it must be implemented in any form of registration (or better yet, generate a password for the user yourself). The form should have a threshold of attempts after which the user ceases to start without captcha (very, very complex captcha). My advice is to limit this number to three attempts. It is a good idea to add a counter of failed attempts to the user profile to further introduce a delay between login attempts for each account individually. Here it’s really worth remembering that a user can start to be informed so that he cannot log into the system, but the inaccessibility state is much better than the state of leakage of personal data.
I really hope that this information will help you make your services better and safer.