Passwords of Plenty*: what 442773 leaked Yahoo! accounts can tell us

While the ongoing floods of leaked account credentials from Formspring, LinkedIn et al. are potentially disastrous for the owners of those accounts, analysis of those data doesn't only provide a way of seeing whether our own accounts are at risk. It also provides an incentive for us all to re-examine our own password (and passcode) selection strategies by the insight they give us into whether we are using the same far-from-unique passwords as so many of the victims of these breaches.

My colleague Anders Nilsson's Eurosecure blog  looks at the data from the Yahoo! breach reported by Dan Goodin and refers to some detailed statistics. Rather than reproduce all those data here, I'd recommend that you read his blog, but as I've previously referred here and elsewhere to 'Top Umpteen' lists of insecure, over-used, easily guessed passwords, I can't resist reproducing the top ten he extracted here, as it comes from a more recent source than the Mark Burnett analysis I quoted in my previous post on the subject.

  1. 123456 = 1666 (0.38%)
  2. password = 780 (0.18%)
  3. welcome = 436 (0.1%)
  4. ninja = 333 (0.08%)
  5. abc123 = 250 (0.06%)
  6. 123456789 = 222 (0.05%)
  7. 12345678 = 208 (0.05%)
  8. sunshine = 205 (0.05%)
  9. princess = 202 (0.05%)
  10. qwerty = 172 (0.04%)

The TrustedSec blog suggests that the Yahoo! service from which the credentials were dumped is Yahoo! Voice, and if you have an account there, this would be a good time to change your password, however good it is. But if you're using any of the passwords above anywhere – or if it comes to that, any of the 25 below, as compiled by Burnett – it's a good time to start thinking about using better choices, or maybe looking for a good password manager program.

  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football
  11. letmein
  12. monkey
  13. 696969
  14. abc123
  15. mustang
  16. michael
  17. shadow
  18. master
  19. jennifer
  20. 111111
  21. 2000
  22. jordan
  23. superman
  24. harley
  25. 1234567

No, number 24 doesn't mean I've flooded online services with logins where I use my own name. As I remarked the last time I published this list: "I've included the top 25 because it amused me to see my own name at number 24. I suspect, though, that has more to do with motorcycles than my own superstar status. ;-)"

If credentials are leaked for a service you use, there isn't much you can do except:

  • Change your password ASAP
  • Pressure the service provider into enhancing its security
  • Consider whether there might be a safer service you can use.

But changing all your passwords to something harder to guess/break is never a bad idea.

ESET Senior Research Fellow

Author David Harley, ESET

  • Stephen Cobb

    Great points David, and the advice about password selection should be of value to the more than one million members of the Phandroid community who just learned that their user names and passwords were compromised. Clearly all of these folks will need to change their passwords on Phandroid, and anywhere else that they may have used the same name and password combination. Pending an explanation of how this security breach occured, Phandroid should get some credit for the detailed disclosure it made to members.

  • Batfan

    how predictable that superman fans would pick something obvious as a password.

  • Richard

    Problem is two-fold: 1) users being allowed to choose weak passwords by poorly designed register systems. 2) users picking the poor passwords. These two points are probably made moot when the hashing methods are discovered but even if a database is accessed and records downloaded, the hashing method should be difficult to defeat.

Follow us

Copyright © 2017 ESET, All Rights Reserved.