Most Common Passwords of 2015


The list of top 10,000 most common passwords list for 2015 was compiled by Mark Burnett @

I took the data that he pulled from his list of 6.5 million username and email combinations and did some quick analysis myself.

  • The top 10,000 most common passwords of 2015 consisted of 28.85% of the 6.5 million users.
  • 79% of the passwords were shorter than 8 characters.
  • The top 10 passwords consisted of 1.51% of all passwords.
  • The top 100 passwords consisted of 4.22% of all passwords.


  • Password Length

# of passwords >= 8      2,084
# of passwords = 7         2,055
# of passwords = 6         3,535
# of passwords = 5         1,180
# of passwords = 4         1,129
# of passwords = 3         8
# of passwords = 2         1
# of passwords = 1         8

# of passwords > 14       1

Password Recommendations

  1. Longer and more complex is better.

Brute forcing a password takes exponentially longer as length increases.  Keyspace when referring to cryptography is the total number of available characters that can be used to create a password or key.  If you take into account the layout of the standard US keyboard, the keyspace available to create passwords is 93 characters (uppercase, lowercase, numbers and special characters).   This gives a keyspace of 2^93 per character.  Due to statistical analysis of passwords, patterns in password generation have been recognized.   Do not spell a word forwards and then backwards.   Do not use l337 speak.  Do not put a year and an exclamation point at the end of a word.

2.  Use a password manager.

Although the study is dated (2007), a study done by Microsoft showed that users only have 6.5 passwords per 25 online accounts.  It is not likely that people have changed their habits.   Long, complex and unique passwords is not convenient or easy to remember.  Love or hate password managers, in my view, it is better to have unique passwords for your sites and have to remember or keep on your person one super complex and long password than to have re-used passwords.  Password managers have generators that can create long, random passwords with the appropriate complexity.

3.  Use passphrases.

Rainbow tables, cloud computing, statistical analysis and the use of GPU’s in password cracking has created a wealth of knowledge, tools and methods to brute force passwords.  Common passwords take no time to break any longer.   They have all been pre-computed.  Passphrases get around this by making it computationally difficult to create rainbow tables for all the variables of a 35+ character passphrase.

You can pick things such as “I love to walk in the park at 2, and sing with the chickadees!”

A few words of warning however:

Do not use song lyrics or common quotes.

Do not be trite.

Do not use any publicly known information.

4.  Use multifactor authentication

If possible, utilize multifactor authentication to help protect your accounts.  This creates another barrier to accessing your account.  Instead of just relying on the password (something you know), you pair that with a token (something you have) or a fingerprint or iris scan (something you are).  A number of the major internet services such as Facebook, Twitter and Google have implemented a second factor of authentication.  There are also off the shelf hardware tokens that you can purchase and use such as Yubikey.

5.  Don’t roll your own authentication

Properly securing authentication and authorization is hard.   Many large companies have made mistakes and created vulnerabilities when developing access control software.  Use the tried and true access control technologies out there instead of trying to create your own.

Password hacking has gotten easier over the years as technology has gotten better and many, many passwords have been leaked allowing true statistical analysis and pattern modeling to be done.  What are some of your thoughts on how best to protect passwords and what the future of passwords is?

Leave a Reply

%d bloggers like this: