7

I've been thinking about ways to focus brute forcing dictionary attacks on passwords and passphrases based on the assumption that certain words, combinations of letters, and combinations of words are more common in passwords and passphrases than in general text.

In combinatorial dictionary attacks it seems to make sense to check more combinations using high frequency words (or ngrams) than the rest of the dictionary.

I gather there are lists of the most common passwords out there but are there also lists of most common words or ngrams known to be used in passwords and passphrases?

Improve this question
2
  • 1
    Standard password crackers already use these techniques, and others that are even more sophisticated (e.g., Markov models).
    – D.W.
    Commented Aug 12, 2011 at 19:15
  • @D.W.: Thanks I'm just getting up to speed. I was going to ask about Markov chains and HMMs next. Do you know where I can read something a little technical about how they use them?
    – hippietrail
    Commented Aug 12, 2011 at 19:41

4 Answers 4

Reset to default
7

Oh, there are a few places that show the most common passwords as determined through website breaches. Some examples:

No matter where you look, it seems that 123456 is the password to beat. For all those above and more, start with http://www.google.com/search?q=list+of+most+common+passwords

Improve this answer
1
  • This does not answer the OP's question: they aren't looking for the most common passwords, they are looking for the most common n-grams used in passwords. "12word34" contains the n-gram "word" in example. Not sure why the OP accepted this answer.
    – John
    Commented Jan 15, 2015 at 21:37
6

There's a very interesting article on this topic here:

The Science of Password Selection

Improve this answer
4

You can find quite a bit of analysis and password lists here, in creating a "most common" list for personal usage in pentesting this site was a great asset. http://www.skullsecurity.org/wiki/index.php/Passwords

Improve this answer
2
  • 1
    Thank you but what is "pentesting"?
    – hippietrail
    Commented Aug 15, 2011 at 11:52
  • 1
    hippietrail: penetration testing.
    – detro
    Commented Aug 15, 2011 at 13:56
3

[...] but are there also lists of most common words or ngrams known to be used in passwords and passphrases?

(Okay so I completely misread the OPs question, my bad!)

There are not many that I'm aware of, but here are a few links to some interesting articles and such. The first one is a link to the passwords from the SonyPictures data breach, decide for yourself whether you think it's okay to download or not (SonyPictures).

The other one is an interesting analysis of said passwords. It might be interesting to read. Also, see this analysis of the Gawker breach.

Hopefully these will provide you with some interesting data. Sorry for the original confusion.

Old answer for historical reference.

Yes. The British National Corpus (found here) provides lists of words with their frequency of occurrence in the English language. The design and creation of said lists are adequately explained on the page and may be downloaded from there as well. For n-grams Google provide sets of data for n-grams up to 5 words and may also be downloaded freely from here.

Improve this answer
2
  • Perhaps I worded my question poorly. I wasn't looking for lists of words and ngrams which might potentially occur in passwords but which are known to commonly occur in passwords. Certain things like "secret", "love", and recent 4-digit years for instance are overrepresented in passwords and passphrases.
    – hippietrail
    Commented Aug 12, 2011 at 18:29
  • 1
    No, sorry. I actually misread your question, it's entirely my fault. I do remember finding one report analyzing passwords, I'll update my answer with it once I find it.
    – Christoffer
    Commented Aug 12, 2011 at 18:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .