A Billion Passwords Analyzed; Password Firewall Protects You

A student studying in Cyprus recently released the results of an analysis of 1 billion leaked passwords.  This is one of the biggest leaked password data sets ever analyzed and can provide some insights to contemporary password use.  Unfortunately, the results show that the common bad password hygiene that has coinutually plagued the industry, continues to occur.  But, studying such a large dataset has also revealed some other interesting information.  We will go over some of these more interesting discoveries and show you how Password RBL and Password Firewall protect you from these types of problems.


Basic Findings

Out of the 1 billion credentials analyzed, there were only 168.9 million unique passwords in the list.  This means there is a startling amount of password reuse – bad password reuse.  Password RBL specifically blocks these poor and reused passwords.  This prevents Account Takeover Events by preventing users from, knowingly or inadvertently, choosing the passwords that hackers already know and use in password-based attacks.

The most popular password was “123456” – a truly horrible password choice, as this password (or similar ascending numerical variants) has been in the top 10 worst password choices for years now.  In fact, it was so popular that it was 1 out of ever 142 passwords in this dataset!  This password has been blocked by Password RBL since the very beginning of our service.

Password Complexity

Of all the unique passwords in the list, 28.79% were comprised of letters only with 26.16% using lowercase letters only.  Sadly, 13.37% of the passwords used only numbers, which is terrible since there are only 10 characters in the numeric alphabet, making brute-force of numeric-only passwords far easier.  And finally, only 2.04% of the passwords used special characters.

Password Firewall for Windows, specifically addresses password complexity with the Minimum Character Sets Required option.  This allows administrators to choose how many character sets must be present in password choices.  It doesn’t require a specific number of characters from each character set, because it’s only important that the passwords have at least one character from the specified number of sets.

Interestingly, 34.41% of the passwords analyzed ended in a numeric digit (but only 4.52% began with a digit).  This is exactly why Password Firewall has the Password DoubleCheck feature.  It will drop any digits at the end of a password choice and then re-query the Password RBL database with the resulting (truncated) password to see if the end-user has chosen a bad password, but simply added a digit to the end.

Password Reuse

There is plenty more evidence of the bad password reuse happening.  Unique passwords, that are found only once in the dataset, make up only 8.83% of the dataset.  The top 1,000 most common unique passwords from made up 6.61% of all passwords in the dataset.  The top 1 million most common passwords comprised 36.28% of the dataset.  And the top 10 million most common passwords made up 54.00% of the entire dataset.  So an attacker cracking a password database (that did not use password blacklisting) with a wordlist of only the 10 million most common passwords, has a better than 50/50 chance at cracking each password.  This is why password blacklisting is so necessary.

There is diminishing returns in brute-forcing with a larger datasets.  Brute forcing attackers obviously don’t need to.  But, we go even farther at Password RBL.  Our highly curated database currently has over 75 million of the most commonly used bad passwords and is growing every year.  Additionally, we provide a conduit for our customers to simultaneously query the Pwned Passwords database as well.  There is a large overlap in our databases, especially at the top end of the most commonly used bad passwords.  But it is a fairly safe assumption to say that this provides protection from over 500 million bad password combinations, which is more than the total number of unique passwords from this latest analysis.


This analysis confirmed alot of what Password RBL has known for a long time.  People reuse passwords, alot!  And the passwords they are reusing are common and well-known at this time.  These are the passwords you do not want your users or customers using on your network or app/service.

Password RBL provides an easy way to block these bad passwords as well as any custom passwords you want banned, too.  We even provide statistics so you can know if your users are getting better at choosing passwords.  And best of all, subscriptions are inexpensive so organizations of any a size can afford this effective base-layer of security.