Revealed: passwords that can be hacked in under three seconds
Recent research from card machine and payment solutions provider, Dojo, has analysed over six million leaked passwords to investigate the most commonly used password patterns and how people’s passwords are hacked.
Dojo revealed that Google searches for ‘’how to create a strong password’’ have surged by +200% in the last 12 months.
Using aggregated data including the Rockyou21 data breach password list, Dojo categorised the top hacked passwords into 25 categories revealing the password patterns you should avoid to stay secure online.
Lowercase passwords with less than 8 characters are hacked in under three seconds
Key: l is lowercase, u is uppercase, d is digits, s is punctuation, and other special characters.
|
Password pattern |
No. of passwords |
Avg. password length |
Example |
Max time in seconds to guess |
|
llllllll |
356,174 |
8 |
iloveyou |
3.01 |
|
llllll |
263,333 |
6 |
purple |
0.00 |
|
lllllll |
221,761 |
7 |
letmein |
0.12 |
|
dddddd |
193,879 |
6 |
202201 |
0.00 |
|
ddddddd |
150,819 |
7 |
20000000 |
0.12 |
|
dddddddd |
145,505 |
8 |
19891989 |
3.01 |
|
lllllldd |
132,885 |
8 |
london89 |
3.01 |
|
ullllllll |
121,139 |
9 |
Wednesday |
78.26 |
|
lllldddd |
85,547 |
8 |
alia1990 |
3.01 |
|
lllllllllld |
84,229 |
10 |
wednesday1 |
2,034.70 |
With 51% of people using the same passwords for both work and personal accounts, it’s common for people to repeat password patterns that are easy to remember. But the study found that 365,174 passwords feature all lowercase letters and an average password length of eight characters.
When using this password pattern hackers can access your data easily, as the number of combinations they need to try is lower. If you are using all lowercase letters for your passwords, it would take hackers just three seconds to guess.
The most common password patterns feature 6-10 characters, with 457,212 password patterns found to contain 6 characters, which wouldn’t even take a second for hackers to guess your password.
Increasing the number of characters in your password makes it harder for hackers to guess your password. With 10 characters, it would take hackers up to 33 minutes to access your password yet only 84,229 password patterns contained 10 characters.
The most common and hackable password categories
|
Rank |
Term |
No. of breached passwords that include the top 20 words/phrases in that category* |
|
1 |
Nicknames/Terms of Endearment |
1,040,793 |
|
2 |
Tv show characters |
454,765 |
|
3 |
TV shows |
365,386 |
|
4 |
Colours |
352,484 |
|
5 |
Fashion brands |
298,601 |
|
6 |
Cities |
253,960 |
|
7 |
Countries |
127,154 |
|
8 |
Movies |
70,421 |
|
9 |
Body parts |
53,919 |
|
10 |
Car brands |
40,971 |
|
11 |
Pet names |
33,754 |
|
12 |
Swear words |
33,299 |
|
13 |
Video game characters |
24,986 |
|
14 |
Music artists |
20,768 |
|
15 |
Video games |
13,020 |
|
16 |
Makeup brands |
12,011 |
|
17 |
Sports |
9,039 |
|
18 |
Fictional characters |
7,502 |
|
19 |
Superheros |
5,473 |
|
20 |
Football clubs |
2,920 |
*The score is calculated by using how many times the top 20 terms/words from each category were included in the most commonly breached passwords list.
Using terms of endearment is the most popular password pattern
Out of the top 20 most common password categories, 1.4 million passwords were found to use terms of endearment as their chosen password category. According to Dojo’s data, terms of endearment feature words such as “King”, “Rose”, “Love”, and “Sexy” to name a few.
|
Rank |
Term of endearment |
Total no. of breached passwords |
|
1 |
King |
948,203 |
|
2 |
Rose |
30,506 |
|
3 |
Love |
19,310 |
|
4 |
Boo |
8,575 |
|
5 |
Hero |
5,619 |
|
6 |
Angel |
4,518 |
|
7 |
Baby |
3,797 |
|
8 |
Sexy |
2,622 |
|
9 |
Gem |
2,232 |
|
10 |
Lover |
2,026 |
Using terms of endearment to build a password puts you at a higher risk of being hacked, as these words are often under five characters, making it easier for hackers to use a dictionary attack to access your accounts.
Passwords including colours were also revealed as one of the most hacked password categories, with ‘Red’ featuring 331,000 passwords, ‘blue’ (4,423), and ‘black’ (3,360).
|
Rank |
Colour |
No. of breached passwords |
|
1 |
Red |
331,756 |
|
2 |
Blue |
4,423 |
|
3 |
Black |
3,360 |
|
4 |
Gold |
2,546 |
|
5 |
Green |
2,364 |
|
6 |
Pink |
1,496 |
|
7 |
White |
1,424 |
|
8 |
Brown |
1,111 |
|
9 |
Silver |
1,017 |
|
10 |
Grey |
576 |
How do passwords get hacked?
Whilst most people associate phishing and malware with password hacking, many hackers are successful by simply guessing the most common password patterns. According to Dan Walker at ITpro these are just some of the most common methods used by hackers to decipher passwords:
-
Brute force attack which is when hackers use trial and error to guess your passwords.
-
Dictionary attacks involve hackers guessing common words or phrases.
-
Guessing weak passwords has become easier for hackers as they base their guesses on information found through your social media accounts, such as your pet or partner’s name.
How to create a strong and unique password
The study found that over 1.5 million passwords were eight characters or less with terms of endearment being the most common password category. So, to ensure you have a strong and unique password, Dojo advises following these tips.
-
Creating a password with a minimum of 8-12 characters that uses a mix of special characters, numbers, and capital letters can be difficult to remember. So, the latest guidance from the National Cyber Security Centre (NCSC) recommends combining 3 random words that each mean something to the user – this is a great way to create a password that is easy to remember but hard to crack. They can include numbers and symbols if needed, for example, “Hippo!PizzaRocket1”.
-
Set up MFA (multi-factor authentication), these are available on most apps and accounts that require a password.
-
Alongside MFA, the NCSC advises to choose a unique, strong password and only change it if it has been breached. You can use services like Have I been Pwned (HIBP) to monitor if your username and password has been breached.
-
Don’t use personal information that is easily accessible through your online presence.
-
Use a credible password manager to help you create unique, strong passwords so that you don’t have to remember them.
