Passwords, Revisited

By on May 07, 2018

Ahh, Passwords.  We have work passwords, personal passwords, super secret passwords, even throw away passwords.  Have you ever stopped to wonder how “secure” your passwords actually are?  Thanks to cybersecurity writer and researcher Troy Hunt, you can now check. Troy runs the website ‘;– Have I been pwned? and recently pulled together the data he has been collecting and created a service that manages half a billion passwords that have been seen in various data breaches and a count of how many times each password has been seen.

If your password lives in this database, it is no longer a secret.

So just for fun, let’s explore this data.  Say you’re a fan of the NFL Green Bay Packers.  You’d (of course) never use the password “greenbay”.   Which is good, because it has been used as a password 12,066 times in various breaches.  What about something tricky like “gr33nb@y”?  (Nope – that one has been seen 28 times.)  Throw in some capital letters like “Gr33nB@y”?  (Strike 2.  That’s been seen 8 times.)  Let’s try adding a symbol “Gr33nB@y#1” – that will be unique!  (Nope.  Strike 3.  That’s been seen 9 times.)

Unless your password is a long string of random characters, the probability it has been exposed in breach is pretty good.  And how do you remember a long string of random characters? Hint, hint: a password manager.  And guess what Password Managers – thanks to Troy’s service – can now do?  They can check to see if the password you’d like to use has been used in a breach.

Let’s look at some more passwords.  Sticking with sports theme – say you’re a Boston Red Sox fan – the password “yankeessuck” has been seen 367 times.  Yankees fan?  “redsoxsuck” – 185 times.  How about Premier League  – say an Arsenal fan might go with “chelseasucks” (30 times) and Chelsea fans with “arsenalsucks” (27 times).  Maybe you’re a more optimistic NBA fan – if Golden State is your team, the password “warriorsrule” shows up 35 times.  Cavalier’s fan?  “clevelandrocks” shows up 68 times.

Proud of your home state? Probably don’t want to use it as a password; “newyork” – 93,558 times, “california” – 78,972 times, “florida” – 74,587 times.  Every state makes the list.  Favorite celebrities your go to for passwords?  Well, “beyonce” has been used as a password 20,014 times, “selenagomez” 5,417 times, Dwayne “therock” Johnson – 38,234 times, Cristiano “ronaldo” – 112,121 times.  Countries? “USA” 406 times, “india” 49,222 times, “england” 50,919 times, “spain” 4,060 times (even “españa” with the ñ has been seen 212 times).  Foods?  “hamburger” – 10,864 times; “hotdog” 61,680; “fishandchips” 1,271 times; “sushi” 7,395 times; and (just for Troy) – “vegemite” has been seen 1,845 times.

Looking at a little more mundane passwords, the password “password” appears over 3.3 million times in the breach data.  The password “123456” shows up over 20 million times.  It’s not all English either, the word for “password” in Spanish, “contraseña”, shows up 1,045 times, in German “passwort” shows up 57,177 times, in Russian “пароль” 13,466 times and even the Maori word “kupuhipa” shows up 3 times.

So as much as we would each like to think we are being clever with our passwords and the patterns we create for ourselves to remember them – is safe to say that in a global context, it has likely already been used.  Don’t take my word for it – go look them up for yourself here (but maybe don’t look up a password you’re currently using).

Oh, and before I forget…  You should use a Password Manager.  Really.  You should.

About the Author

Eric Wuehler

Eric Wuehler is a Principal Engineer in the Office of the CTO at McAfee. He is a seasoned developer and architect with more than 20 years of experience in product innovation, research and development with a strong focus in security since 2004. In his free time, Eric pokes around with mobile development, wires together homemade ...

Read more posts from Eric Wuehler

Subscribe to McAfee Securing Tomorrow Blogs