Ata Hakçıl, un estudiante turco e investigador independiente, ha hecho un gran trabajo examinando más de mil millones de nombres de usuario y contraseñas diferentes. El investigador descubrió que cada 142 contraseña es “123456”.
Recopiló un volcado tan grande para analizarlo de fuentes abiertas.: all this data was once “leaked” to the network after various information security incidents.
Such dumps have been accumulating on the network for more than a dozen years, and their number only grows as new companies break into. Finding them is not difficult at all – such collections of credentials are available on GitHub and GitLab, are freely distributed on hacker forums, through file sharing apps and so on.
It is also worth noting that large companies have long been collecting such dumps in order to warn their users about the danger. Por ejemplo, Google, Microsoft and Apple use leaked logins and passwords to create their own warning systems that inform people when they use a weak or already compromised password.
“In a huge collection he managed to find 168,919,919 contraseñas únicas y, como se vio despues, más que 7,000,000 of them are the password “123456 ”(every one hundred forty-second password)," – writes Hakçil.
Specialists have long been warning that the 123456 sequence is the most used password in the world and has been leading with a wide margin for at least five years. Also recall that according to Researchers from Carnegie Mellon University, users seldom change passwords even after data leaks.
The researcher also estimated that the average password length is 9.48 caracteres, although information security experts usually recommend using longer passwords (de 16 a 24 caracteres). Password complexity was also a problem, since only 12% of the total number of passwords contain at least one special character.
Peor, in the vast majority of cases, users choose the simplest passwords: use only letters (29%) or only numbers (13%). De hecho, this means that approximately 42% of all passwords are vulnerable to commonplace dictionary attacks and brute force.
Other interesting findings from the Hakçıl report:
- fuera de 1,000,000,000+ studied lines, 257,669,588 were filtered out as damaged;
- De hecho, a billion credentials contained only 168,919,919 contraseñas únicas y 393,386,953 nombres de usuario;
- the most common password is “123456”, it occurs in approximately 0.722% de los casos;
- El 1000 OF most common passwords is approximately 6.607% of all learned passwords;
- The average password length is 9.4822 caracteres;
- solamente 12.04% of passwords contain special characters;
- 8.79% of passwords contain only letters;
- 26.16% of passwords contain lowercase characters only;
- 13.37% of passwords contain only numbers;
- 34.41% of all passwords end with numbers, but only 4.522% of passwords begin with numbers.