25 most common passwords in 2016 and how quickly they can be cracked

Here is the list of Keeper Security’s 25 most common passwords in 2016, as well as how fast two different sites estimate those passwords can be cracked.

It’s nearly that time again when SplashData will release its annual list of worst passwords, but this list of passwords comes from Keeper Security. The company analyzed over 10 million passwords available on the public web before publishing a list of 25 most common passwords of 2016. Keeper pointed a finger of blame at websites for not enforcing password best practices. Even if a site won’t help you determine if a password is decent, then people could use common sense. It’s disheartening to know that 17 percent of people still try to safeguard their accounts with “123456.” And “password” is, of course, still on the list, as well as keyboard patterns such as “qwerty” and “123456789”. I thought it might be interesting to list not only the passwords, but also how quickly they could be cracked; that changes all the time if you think about it, being that when a site is hacked then those dumped passwords get added to cracking lists and can be cracked even quicker. Nevertheless, each password on Keeper’s list is additionally broken down into estimated times to crack the password; one estimate is from Random ize and the other is from BetterBuys.
Keeper’s list of worst passwords in 2016 How long to hack password according to Random ize Estimated password-cracking time according to BetterBuys
1.       123456  Less than one second .25 milliseconds
2.       123456789 Less than one second .25 milliseconds
3.       qwerty Less than one second .25 milliseconds
4.       12345678 Less than one second .25 milliseconds
5.       111111  Less than one second .25 milliseconds
6.       1234567890 3 seconds .25 milliseconds
7.       1234567 Less than one second .25 milliseconds
8.       password 1 minute, 13 seconds .25 milliseconds
9.       123123 Less than one second .25 milliseconds
10.   987654321 Less than one second .25 milliseconds
11.   qwertyuiop 13 hours, 48 minutes 4 months, 4 days, 7 hours, 11 minutes, 46 seconds
12.   mynoob Less than one second 24 seconds
13.   123321  Less than one second .25 milliseconds
14.   666666 Less than one second .25 milliseconds
15.   18atcskd2w 14 days, 21 hours 8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds
16.   7777777 Less than one second .25 milliseconds
17.   1q2w3e4r 16 minutes, 33 seconds .25 milliseconds
18.   654321 Less than one second .25 milliseconds
19.   555555 Less than one second 2 minutes, 46 seconds
20.   3rjs1la7qe 14 days, 21 hours 8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds
21.   google Less than one second .25 milliseconds
22.   1q2w3e4r5t 14 days, 21 hours 8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds
23.   123qwe Less than one second .25 milliseconds
24.   zxcvbnm 2 seconds .25 milliseconds
25.   1q2w3e Less than one second .25 milliseconds
As for some of the more peculiar random passwords appearing on the list, those particular oddballs showed up on LeakedSource in June 2016 after media company VerticalScope was hacked. The database contained “nearly 45 million records from over 1,100 websites and communities.” Graham Cluley said he suspected that some of the passwords in that leak, such as “18atcskd2w”, “3rjs1la7qe,” and “q0tsrbv488”, were “created by bots, perhaps with the intention of posting spam onto the forums.” It’s worth noting that BetterBuys’ cracking uses a i5-6600K core processor, Intel data benchmarks and the cracking tool John the Ripper. It currently tests how quickly a password could be cracked in 2016, but each year as tech evolves and hackers become more proficient, passwords get weaker. Passwords that took a mere .29 milliseconds in 2015 could be cracked in .25 milliseconds in 2016. “For example,” BetterBuys wrote, “a password that would take over three years to crack in 2000 takes just over a year to crack by 2004. Five years later, in 2009, the cracking time drops to four months. By 2016, the same password could be decoded in just over two months. This demonstrates the importance of changing passwords frequently.” Another example using a password on this list: In 2015, BetterBuys estimated that “qwertyuiop” could be cracked in 4 months, 3 weeks, 3 days, 32 minutes, 10 seconds; in 2016, the time shortened to 4 months, 4 days, 7 hours, 11 minutes, 46 seconds. Since “18atcskd2w” showed up on the list, it probably was added right away and now takes even less time to crack. But to show how the strength of passwords is weakened each year, BetterBuys estimated that in 2015 it would take 1 decade, 2 months, 2 weeks, 3 days, 16 hours, 30 minutes and 24 seconds to crack “18atcskd2w”. In 2016, it would take 8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds. If you think your 12-character password is secure, then you might want to check out a recent article by Netmux, a cybersecurity firm made up of former veterans, as it goes into details about how to crack 12-character passwords. If you aren’t using a password manager yet, then you should make that one of your 2017 resolutions.
Fonte: http://www.networkworld.com/