123456: The Most Common Password After Every Major Breach
Zusammenfassung
After every major password database breach, the same passwords appear at the top of the frequency list: “123456,” “password,” “123456789,” “12345678,” and variations. The LinkedIn breach (2012, 117 million accounts) revealed “linkedin” as a top-10 password. The RockYou breach (2009, 32 million accounts) established the canonical breach analysis dataset. Password complexity requirements — mandatory uppercase, numbers, and special characters — were intended to improve security but have been shown to make passwords less secure: users choose “Password1!” rather than a longer, truly random passphrase.
The Breach Data
RockYou was a social media app company whose database was breached in 2009, exposing 32 million plaintext passwords (they were stored without hashing — a fundamental security failure). The RockYou dataset became the standard training set for password cracking tools and academic studies of password behavior. The top passwords were:
- 123456 (290,731 occurrences)
- 12345 (79,076)
- 123456789 (76,790)
- password (61,958)
- iloveyou (51,622)
The data established that a significant fraction of users — approximately 1-2% — used passwords that appeared in a small list of the most common choices. An attacker who tried only the top 1,000 passwords would access roughly 9% of all accounts in the dataset.
Why Complexity Requirements Fail
The US National Institute of Standards and Technology published password guidance in 2003 (NIST SP 800-63) that recommended passwords with uppercase letters, lowercase letters, numbers, and special characters, changed frequently. This guidance influenced corporate IT policy globally for 15 years.
NIST’s own research, published in revised guidance (SP 800-63B) in 2017, found that:
- Mandatory complexity rules produce predictable patterns: Users confronted with a “must include uppercase, number, and special character” requirement add a capital letter at the start and “1!” at the end. Attackers know this.
- Mandatory rotation makes passwords weaker: Users required to change passwords monthly choose “Password1”, “Password2”, “Password3”… Attackers know this too.
- Length matters more than complexity: A 16-character passphrase of random words (“correct-horse-battery-staple”) is far more resistant to brute-force attacks than “P@ssw0rd1”.
NIST’s 2017 guidance reversed its 2003 recommendations: don’t require composition rules; don’t require periodic rotation; do require minimum length (8+ characters); do check against known-compromised password lists.
Password Managers and the Real Solution
The actual solution to password security — unique, long, random passwords for every service, stored in an encrypted password manager — requires no memorization of complex rules and produces genuinely strong passwords. Password managers have been commercially available since the 1990s but have achieved only partial adoption.
The persistence of weak passwords despite decades of security education reflects a fundamental tension: security practices that impose cognitive burden are not adopted at scale. The field of cybersecurity has increasingly moved toward eliminating passwords entirely through authentication standards (WebAuthn/FIDO2) that use cryptographic hardware keys instead.
📚 Sources
- Imperva Application Defense Center: “Consumer Password Worst Practices” — analysis of RockYou breach, 2010
- Grassi, Paul A. et al.: “NIST Special Publication 800-63B: Digital Identity Guidelines” — June 2017
- Herley, Cormac & van Oorschot, Paul C.: “A Research Agenda Acknowledging the Persistence of Passwords” — IEEE Security & Privacy, Vol. 10, No. 1 (2012)