There has been three instances that I know of where a significant number of hacked account passwords have been publicly released. I have obtained the lists and made a thorough analysis of each of them, including the most common passwords and character frequencies. In total, there were 116782 passwords.
In 2006 there was a large scale phishing attack on myspace accounts. Someone found the file on the server where the compromised accounts were being saved to. 47380 emails / passwords were found. A password analysis was done here and here.
In someone noticed an exploit listed on milw0rm for PHPlist, a newletter manager. They found it was running phpBB’s server and used the exploit to steal passwords of users that logged in over the coming weeks. The hacker wasn’t caught but rather made a blogspot account and bragged about it uploading the entire user database (passwords encrypted) and the usernames and passwords of those who logged in while he or she was in control. 28644 username and passwords were uploaded to file sharing sites. A password analysis was done here.
On it was discovered that , a christian dating network, did not have any security at all. Logging in and going to ‘edit profile’, you can see your email, password and other information. The problem is if you give someone the link anyone else free dating apps can see it too, without logging in. Since the only thing different from person to person was the userid, people just changed the number to see other people’s email and password information. Someone made a bot to loop through the pages and captured 40758 username and passwords, then released it to the public. It was later confirmed ebaumsworld did it.
Myspace is mostly teens, phpBB is a forum and is a christian dating site. Teens tend to be more up to date on technology and use better passwords. Myspace also requires that the password be at least 6 characters I believe (the hack was in 2006 so they didn’t require numeric also maybe). Teens are more likely to use references to pop culture than dictionary words or first names. Also since the myspace list is from a phishing attempt aware people often used the fields to insult the scammer so there’s a lot more noise to the list. People tend to use throw away accounts on forums like phpbb because they only sign up to get an answer real quick. Also brute force attacks are much more difficult since it uses captchas and limits login attempts. is for christians so you’ll see more biblical related passwords.
If I had done a brute force attack on all the users this is how many accounts I would have compromised with different dictionaries. The % indicated how successful the dictionary is as a whole, or it could be interpreted as the percent chance each individual account has of being hacked by the associated dictionary.
Firstnames is a list of 5495 parsed first names from and the wikipedia entry of most common given names. Dictionary represents a parsed version of the open office english dictionary (hunspell actually) containing 62220 words. Milw0rm is a a list of cracked passes from milw0rm that were submitted to their hash cracker. Insidepro has a english wordlist with many common passes.
The problem is, tiny but efficient lists like the firstnames list can easily be used against web forms that don’t have captchas for their login in a practical amount of time. It’s even faster with sites like twitter and tumblr with efficient APIs or ajax based logins that send very small amounts of data for validation or can be checked simply by the http return code (eg. 302 for fail, login redirect, and 200 for success). The guy that vandalized 33 twitter profiles actually just did a brute force dictionary attack on a twitter admin and found her password was ‘happiness’. They probably won’t limit login attempts because many twitter apps rely on connecting to thousands of users accounts from the same servers. Multithreaded pipelined programs on high bandwidth connections can easily do several hundred to a few thousands of requests per minute. SSL slows things down significantly but it’s still possible to brute force.