Hackers and the Passwords They Use

Posted by Pete Jun.26, 2014 in Passwords & Security

Hackers and the Passwords They UsePasswords are the Achilles’ heel of the average hacker.

Just think how unfair it would be, if hackers were able to break into other people’s accounts while at the same time they were protected by strong login credentials. As it is, a recent study reveals that hackers are just as much at risk as the average person that some bad guy is going to hack their accounts.

That makes us giggle. :-)

They’re bad guys, so we get it that they don’t do the right thing and use a password manager. (That would be like bank robbers in the movies buckling up before flooring the gas pedal.) We just thought they might be a bit more sophisticated in their online security. You know – being smarter because they would want to avoid the pitfalls of bad passwords that they exploit in their attacks on other people.

Kudos to Avast blogger Antonin for taking a look at the strength of hacker passwords! He went through years of password data collected by the Avast antivirus team and did a bit of analysis on the numbers.

Some of the findings:

  • Just like Auntie Em, hackers gravitate to the sweet spot of 6 characters long. (5 characters came in second place.)
  • Hackers don’t like to mix it up: they mostly use only lower case letters. When they do use upper case, then they use caps for the entire password string.
  • They don’t always use numbers, but when they do, they prefer the number 1.
  • English is the preferred language for hacker passwords.

It’s almost a relief to know that bad guys are just as lazy with their passwords as the average person.

Of course, we’re not talking about you! You’re not average precisely because you do use a password manager.

The next study we’d like to see is to find out if hackers share their passwords with their sweethearts.


  • Meindert Jorna

    A bit strange to read: “He went through years of password data collected by the Avast antivirus team and did a bit of analysis on the numbers.” This sounds like an illegal study using illegal materials. How is it possible for someone to do analysis on password data which was collected by an antivirus team? So even our Virus protected passwords are part of studies?….. :(

    • http://www.stickypassword.com/ Sticky Password

      Hello Meindert, see the source of the passwords from the Avast article:

      “Over the years of fighting malware, the avast! Virus Lab has gathered many samples of various back-doors, bots and shells. Some of them are protected with a password encoded in MD5, SHA1 or in plain text, so it was good way to start. I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes. I created statistics from those words, and here are my findings.”

      So the data come from the bad guys, don’t worry.

  • http://www.ComputerConciergeNY.com/ Mike Klubok

    Not surprised. We hear how criminals log onto Facebook on a burglary victim’s computer, people bragging about about their criminal exploits on social media, an auto theft leaving his business card in the stolen car. Why would hackers be any different?

    • http://www.stickypassword.com/ Sticky Password

      Good point Mike! Bad guys are just people too. LOL

      When it comes to security, the bad guys can’t be bothered. We take that as a positive sign. What does that say about their attacks? Are they counting on the low hanging fruit of lazy users? Taking basic precautions just might raise the bar of security higher than most bad
      guys can jump.