A team at WP Engine have conducted an interesting analysis of some 10 million passwords that had been collected from various sources such as leaks and dumps of passwords. Virtually none of the passwords were still in use so the researchers considered that it was ethical to use the dataset in their research.
The analysis highlights that people tend to choose passwords based on defined patterns and what comes into their mind when asked for a password. So it is not surprising that in the 50 most used passwords, the most common text-based password is the word password itself. However, the use of patterns does often make guessing passwords very easy, especially for password cracking software such as HashCat which can make up to 300,000 guess at a password per second.
Other patterns identified were people adding their year of birth to their name to create a password and an interesting sex difference was that the word”love” appeared in women’s passwords more often than in men’s. Keyboard patterns (e.g. qwerty) also feature prominently in the passwords. These can appear apparently random, but again they are easy to predicted using software.
The WP engine team highlight the strength of a password increases with its entropy which is a measure of variation of the characters in the password. Entropy increases most significantly with the length of the password; however, passwords that appear to have a lot of entropy when an entropy calculation is applied may in practice have none. For example, “password” has an entropy score of 37.6 bits; however, in practice its score is zero because every word list used by password crackers includes the word password.
Interestingly, adding a number to a password will increase its entropy, but the increase in entropy may not be as significant as it may initially appear. This is because both adding a number and the actual number added (the most common being 1) is predictable and therefore easily incorporated into a password cracking program.
Overall, the WP Engine article is a recommend read, if only to make sure that any passwords you are using are not amongst the 50 most used passwords!