How People Set Their Passwords: 123456 Is The Most Common One [STUDY]

Must Read

Do you know why hackers quickly gain access to your system or online accounts?

It’s because the passwords are easily predictable! Yes, according to a recent study on password reuse which analysed more than one billion login credentials, people tend to keep easily predictable kinds of password say something like ‘123456’ to safeguard themselves from hackers. Surprisingly, the number of users who keep their password precisely as ‘123456’ is not minuscule. The study found that one in every 142 users keep their password like ‘123456’ and are prone to get hacked easily.

This curative study was conducted last month by an aspiring student, Ata Hakçıl, who is pursuing his specialisation in a computer engineering discipline. Due to the several data breaches among the corporates across the globe, he put forward an idea to analyse all the leaked online credentials and finding out the loophole that made viable for the malicious attacks.

These leaked billions of online credentials are technically referred to as “data dumps”. The dump is not new, and it had been around the world for more than half a decade. This data dumps will get a pile-up when there is a hacker attack on a new company. So this goes on and on.

As we are in the epoch of data science and deep learning, these data dumps could also form a lucrative material to derive meaningful insights. Hence these data dumps are made available on the prominent workflow and version control sites like Github, Gitlab, and also shared on hacking forums, file-sharing platforms to reach the eminent talents across the globe to sort out the technicality of attacks.

The mighty tech giants like Google, Microsoft, and Apple are also utilising these data dumps to create a word of caution among their users and alert them with a warning note if they are providing a weak or predictable password on the system configurations.

Moreover, an online service platform called ‘Have I Been Pwned’ is also collecting top data dumps and leaked credentials to work on the same.

Okay, let’s now discuss how Ata Hakçıl worked on these data dumps to derive understanding and awareness.

Most Common Passwords Cause Vulnerability

Ata Hakçıl is a Turkish student who is pursuing the computer science and engineering course at a University in Cyprus. He downloaded the data dumps that are available on Github and made a curative data analysis method on more than one billion leaked credentials.

Through his in-depth analysis, he arrived at a loud and clear conclusion that a 1,000,000,000+ credentials dataset contains only 168,919,919 unique passwords. Surprisingly, over 7 million data credentials were of the common “123456” string.

To be more precise, one out of every 142 passwords in the dataset of credentials in the data dump is a weak and common phrase like ‘123456.’ That is mostly reused across online platforms for the past half a decade and is counting on.

Secondly, Ata Hakçıl had found out another deliberate user flaw that the average length of the passwords is just 9.48 characters, although experts suggested having 24 to 16 characters for a stronger password.

Not only the length it’s also the complexity that would measure the strength of the password he added. Complexity in a sense, adding special characters and unique expressions. The Turkish student had observed that only 12% of the password dataset got the special characters in it and remaining all of them are simply phrases. Such findings clearly highlight the root causes that paves the way for hackers.

The aspiring researcher had also made a detailed study that people or online users prefer to choose comfortable or more accessible passwords for their convenience. He found out that with billions of data on the data dump, 29% contains only letters, 13% includes only numbers. So totally, 42% of the data set contains vulnerable passwords that allow easy access to intruders and their malicious attacks without any technical complexity.

The Turkish researcher had brought about his study’s full findings on the GitHub site. Here we are curating some critical data points for your easy understandings.

  • Out of lines of dumps, 257.669.588 were screened as either corrupted data or test accounts.
  • 1 billion credentials are segregated to 168.919.919 passwords and 393.386.953 usernames.
  • The most widespread password users kept is 123456. It includes approximately 0.722% of all the passwords. That found to be around 7 million times per billion.
  • More familiar 1000 passwords constitute 6.607% of all the passwords.
  • The hit-rate of most common 1 million passwords is at 36.28%, and for more familiar 10 million passwords, the hit-rate or attack rate is at 54.00%.
  • Observed average password length is 9.4822 characters.
  • Only 12.04% of the passwords include special characters in them.
  • Those of 28.79% passwords contain only letters in them.
  • Those of 26.16% passwords are all of only the lowercase alphabets.
  • Those of 13.37% passwords constitute only numbers lacking alphanumeric strategy.
  • Those of 34.41% passwords ending in digits, however, only 4.522% passwords start with numerals.

The above findings also highlight how negligence users are towards the safety and security of their digital presence and data. Despite multiple incidents, data leaks and warnings a majority of users have apparently learnt no lesson and are quite vulnerable to hackers.

Just a few weeks ago we wrote about the most common password hackers use to peep into your account. The recent study complements the earlier findings why hackers, many times, gain easy access to accounts and make users go through an ordeal.

Needless to say, with the growing adoption of internet and smartphone it’s high time when users must be educated about the impact and threats such data leaks create for users. On the other hand, software and apps must also enforce users to settle nothing less than a secure password that satisfies the best practices of password security and management.


  1. A very well written article Merlyn. It must have taken a lot of efforts for you to create such a masterpiece.

    I too would like to add my voice to it.

    Usually users do not pay much attention for creating strong passwords while registering on a new website. This can be one of the many reasons that a data breach happens. Cyber criminals take advantage of such practices to gain access into an organizations data. The cyber criminals often send phishing mails to customers to gain login credentials of their account. They might also use other methods like brute force attack or man in the middle attack etc for the same. Hence it is very important for any organisations to set its parameters for password generation such that the customers create strong passwords and change them periodically.

    I am going to share your article with my friends and colleagues. Till then keep up the good work Merlyn 🙂


Please enter your comment!
Please enter your name here

- Advertisement -

Latest News

Made-In-India smartphone shipments 2022: Apple iPhone shipments grew 65% YoY by volume and 162% YoY by value [REPORT]

All major global tech companies, including Apple, Samsung, Xiaomi, and others, have established smartphone manufacturing facilities in India. These...
- Advertisement -

In-Depth: Dprime

Elon has pressed the Reset Button to redefine Twitter

When Elon Musk first expressed his interest in acquiring Twitter early this year, little did anyone know the level of impact on the future...



More Articles Like This