world's 10k most popular passwords (download)

Password Security Checker

Whether you like it or not, password security is a now vitally important facet of online life. There are multiple factors to consider, the primary one being how hard it is to brute-force crack – because this is the single most likely method of attack on your password. Use the Password Security Checker to see just how safe & secure your passwords really are.

Are you sure? Because it’s not actually your password they’re after – passwords are like keys to a vault, with some targetted information on hand, it’s not that difficult to create a highly believable personalised sting.

A brute-force crack wouldn’t be run against your password per se. Typically, website that you’ve signed up to would have been hacked & the entire database of plain-text usernames / email addresses & their hash value passwords stolen. The data is then analysed for known password hash values – passwords like qwerty, password, admin & liverpoolwillneverwinEPL are matched instantly & sold off immediately. Unknown hash values will then have processing power thrown at them, usually a time-limit is imposed – if not cracked within X time then the hackers will cut their losses & move on.

We’re talking massive amounts of user data here – way back in 2008, MySpace had almost 360 million user/pass combinations taken. The hackers worked that enormous database for a full 8 years before offering it for sale in 2016. Software giant Adobe lost over 150 million user account details in 2013. There have been bigger breaches made public & there’s highly likely to be some even larger ones not yet revealed publicly.

When passed through the SHA-256 (Secure Hash Algorithm), passwords are returned as a 32-byte hash value like this:


This is what’s stored in online databases as passwords. When you return to that website, the password entry is run through the SHA-256 algorithm & compared with the stored hash value, your actual password never touches the website. It follows that a website should never have your password stored in plain text. Ever. Neither should anyone actually, apart from you having it stored in your head.

One of the great features of SHA-256 is that any single alteration in the original input results in a completely different hash value – as displayed below. That’s the same passphrase as above but with one number swapped for the next lower numeral (say passW0rd becomes passW1rd) – yet unrecognisable in hashed form.


Which makes cracking each & every password a substantial effort. Projects such as John The Ripper use Rainbow Tables to shorten the time to success. But even John will struggle to unlock a quality secure password.

Before Rainbow Tables come in to play, there’s the freely available lists of X most popular passwords to consider. Fully 30% of all passwords ever used are in the list of 10 thousand, and there’s optimised & targetted lists of up to the 10 million most popular passwords.

Do you honestly think that should your current password be checked against that list of 10 million, that there’s no chance it’ll be there? 

A single PC using an Nvidia GTX 1080 graphics card, can iterate 350,000 passwords per second. So it’d take a maximum of just 30 seconds of processing to find out… Or, you could make sure of it now.

A brute force attack simply iterates through all possible values until the password is found. Eventually, every password will fall to brute-force, it just will. What matters is how long it takes, this is where your secure password comes in to play.

For a stupidly simple automated brute-force attack on early Apple iCloud security that worked, see my Hack A Mac post from 11/12/2014:

That primitive iCloud attack demonstrates that eventually any brute force attack will get the password it’s looking for – simply because it’s applying every single combination of available input. It just will. How long it takes is where the strength of your password comes into play. In the iCloud example, the 4-digit passcode space is only 10k long – from 0000 to 9999 – so a trained monkey would eventually crack it.

A strong password can take even a 10,000 computer strong botnet well over 1,000 years. A weak one though, will fall in seconds – and then your personal information is matched to your decrypted password, bundled up with some other clean results & sold to fraudsters on the Dark Web.

How Secure Is My Password?

You’re about to find out because you can check your password strength right here, right now. You’ll get an on-the-fly instant analysis of your input, providing pointers on the strengths & weaknesses of your password.

The final metric is how long a single desktop PC would take to crack your password using brute force. That’s an easily understood measurement of your password security.

Browser-depending, the input area background will change colour as you input, red for weak through green for secure. Live password security analysis by

There’s duplicate password security checking fields so you can compare different passwords that you use or have used or maybe intend to use & see the calculated result instantly.

No individual characteristic can create a secure passcode by itself, you need to combine. The single most important characteristic is length – the longer the better. That’s what she said anyway. Second is entropy or randomness. Intersperse your password with special characters. Third is variety – include upper & lower case plus numbers.

xkcd makes it simple to understand:


How long should a quality password take to crack? That depends on your own values. Personally, I recommend a minimum of one million years as measured by the Password Security Checker. Stay strong.

There are published lists of the most common passwords, the master of which is here – Mark Burnett’s 85Mb list of 10 million publicly-accessible hacked passwords, published on A more extensive selection of password lists is available from Daniel Miessler’s Github repository. Containing the most popular passwords in a variety of categories & quantities.

Reversing the most-common password information tells me that the rarest characters used in passcodes are the asterisk * (because that’s what obscures our password entry) and the empty spacebar input. Spacebar is not always allowed but there’s no reason for it not to be. The least used characters will result in the longest time to crack.

Some Stats:
(aggregated from independent studies on various large breaches)

30% of all passwords ever used are in the list of 10 thousand most popular passwords. 

40% of all passwords comprise of lower case letters only, no capitals.

60% of all passwords are alphanumeric, no special characters.

50% use names,dictionary or slang words or trivial character combinations like qwerty.

The single most popular password is still 123456. Which clearly demonstrates that the world is populated by morons.

Unless forced by rules, 30% of all user wil choose 6 or less characters, 50% will choose 7 or less.

4% of all passwords use the full range of available characters – upper & lower letters, numbers & special characters. 

8 Golden Rules of Secure Passwords

If it’s not at least 8 characters long – it’s NOT a password.

If it doesn’t contain upper & lower case letters, numbers & special characters – it’s NOT a password.

If it’s been in use over 12 months – it’s NOT a password.

If you’ve shared it with anyone – it’s NOT a password.

If it doesn’t score better than 100,000 years in the Password Security Checker – it’s NOT a password.

If you borrowed it from somebody else  – it’s NOT a password.

If you ever wrote it down  – it’s NOT a password.

And if it’s NOT a password – DON’T use it as one!!