We will, we will RockYou: A list of firsts

February 22nd, 2010 2 Comments

Last December, a hacker acquired the password list for RockYou by exploiting a SQL injection vulnerability which revealed the usernames, email addresses and passwords of a whopping 32.6 million users. And worst of all (besides the company’s attempt to first cover up the incident, then downplay it), the passwords were stored in plain text! Not that hashing would have slowed an attacker down much. Most users’ passwords consisted of short, common words or were all-numeric.

I ranked the 14.3 million unique case-sensitive RockYou passwords by frequency and reviewed the top 2,000 uniques (accounting for 4.7 million users’ passwords) to identify the top passwords by category, some of which are shared below.

Eminem is more popular than Jesus as a password for RockYou users? Who knew? 7,241 uniques of “eminem” versus 5,866 for “jesus”. When case-sensitivity is ignored the same holds true. 7,594 uniques for 7 variations of “Eminem” versus 6,449 for 9 variations of “Jesus”.

Category	Password	Rank
Numeric sequence	123456	1
Passphrase	iloveyou	5
Female name	nicole	11
Male name	daniel	12
Animal	monkey	14
Fictional character	tigger	25
Food	chocolate	27
Sport	soccer	29
Color	purple	33
Profanity	fuckyou	39
Palindrome	hannah	50
Magazine	playboy	59
Slang	hottie	62
Entertainer	eminem	75
Religious figure	jesus	103
Place	america	121
Non-English word	sakura	114
Band	blink182	165
Website name	myspace	182
Non-English passphrase	mahalkita	198
Month	september	200
Zodiac astriological symbols	gemini	211
Company name	samsung	255
City	barcelona	273
American city	orlando	275
Country	portugal	301
Auto manufacturer	mercedes	353
Repeating letter sequence	aaaaaa	374
Sports team	steaua	400
Drink	cocacola	471
Sports team (American)	lakers	480
Musical instrument	guitar	550
Celebrity (female)	shakira	569
Drugs	maryjane	597
ALL-CAPS	PASSWORD	800
Contains special character	iloveyou!	984
First letter capitalized only	Password	1856