Open in app

Sign in

Write

Sign in

10,000 Top Passwords

Mark Burnett
XATO
Published in
3 min readJun 21, 2011

[Note: this article originally had incorrect numbers which have been corrected after re-running the calculations with the original data.]

If you came here looking for 10,000 passwords, you probably want to look at this newer article where you can find 10 million passwords.

Back when I wrote Perfect Passwords, I generated a list of the top 500 worst (aka most common) passwords which seems to have propagated quite a bit across the internet, including being mentioned on Gizomodo, Boing Boing, Symantec, Laughing Squid and many other sites. Since then I have collected a large number of new passwords bringing my current list to about 6.5 million unique username/password combos, including many of those that have been recently made public*.

At some point I will make this full data set publicly available but in the meantime, I have decided to release the following list of the top 10,000 most common passwords. This list is ranked by counting how many different usernames appear on my list with the same password. Note that for this list, I do not take capitalization into consideration when matching passwords so this list has been converted to all lowercase letters.

Here are the files:

[Links removed as they are quite old. See this article for a more updated list]

While many people have improved the security and strength of their passwords, there are still a huge number of people who pick from a very small list of common passwords. In fact, 40% of all passwords appear in the top 100 list.

Here are some interesting facts gleaned from my most recent data:

  • 0.5% of users have the password password;
  • 0.4% have the passwords password or 123456;
  • 0.9% have the passwords password, 123456 or 12345678;
  • 1.6% have a password from the top 10 passwords
  • 4.4% have a password from the top 100 passwords
  • 9.7% have a password from the top 500 passwords
  • 13.2% have a password from the top 1,000 passwords
  • 30% have a password from the top 10,000 passwords

So how does the new top 500 list compare to my old top 500 list? Here is a visual diff that shows how it has changed:

  • Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.

This work by Mark Burnett is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Short URL for this article is https://xa.to/top10k
Follow me on Twitter or GitHub or ask me a question on Quora

Mark Burnett, Security Consultant

Combos
Common Passwords
Passwords

--

--

Mark Burnett
XATO

Written by Mark Burnett

676 Followers
Editor for

IT security analyst and author working in application security, passwords, authentication, and identity. Based in South Weber, Utah https://xato.net

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams