Popular numbers used in leaked passwords

Last time we’ve seen some popular fictional passwords, and how they are used in Exploit.in – a collection of 739,861,478 leaked passwords. I wanted to take another look at some popular numbers and how they are used in passwords.

π

How many digits of Pi have you memorized? I’ve got 6 digits after the decimal: 3.141592. Not bad, but could be better. Let’s see how far the Exploit.in community takes it:
17,713 password have exactly 7 decimal places of Pi (1415926). 1,626 have 10 decimal digits. The record is a single password with 37 digits of Pi – 1415926535 8979323846 2643383279 502884179. The last two digits in that password are cunningly reversed (79 instead of 97), so unfortunately they don’t count.

Here’s a breakdown for the digits of Pi in passwords:

Math constants

Same as with Pi, I’m only considering digits after the decimal point:

Value	Digits	Passwords
e	7182818284	337
e	71828182845904523536	7
√2	4142135623	114
√3	7320508075	21
Phi	6180339887	86
Euler Mascheroni	5772156649	1

Didn’t make it: Conway’s Constant, Khinchin’s constant, and Glaisher Kinkelin.

Fibonacci sequence

One advantage of the Fibonacci sequence is that if you forget your password you can always calculate it. 25,316 unforgettable passwords contain 8 Fibonacci numbers (1 through 21). Only 4 passwords make it all the way to the 15th number, 610:

Physics and Chemistry constants

Number		Digits	Passwords
Light Speed	Meters/Second	299792458	1988
Light Speed	Miles/Second	186282	298
Light Speed	Kilometers/Second	299792	2561
Light Speed	Miles/Hour	670616629	1
Avogadro	6.02×1023	6021023	259
Avogadro	6.022×1023	60221023	73

Avogadro passwords that make good use of special characters include m602x1023e and 602*1023.

Pop-culture numbers

Unsurprisingly, numbers that appear on TV or song lyrics make their appearance in passwords. I couldn’t find too many examples:

Music

Tommy Tutone	867-5309 / Jenny	8675309 (Exact password)	13894
Tommy Tutone	868-5309 / Jenny	8675310 (contain)	28231
Queens of the Stone Age	Regular John	16278263789	7

LOST

40,430 passwords are exactly 4815162342. Additional 34,318 password contain 4815162342, and another 1,058 passwords have The Numbers with separators, for example L48O1516S2342T.

See also

For a more serious analysis of password trends and common patterns:

• Analyzing the Patterns of Numbers in 10 Million Passwords – By Max Woolf
• How are users choosing their passwords on the internet?
• Why So Many People Make Their Password ‘Dragon’ – By Louise Matsakis, Wired (warning: soft paywall)
• Unmasked: What 10 million passwords reveal about the people who choose them

Advertisement

Speak Friend and Enter – Do people actually use movie passwords?

Can you think of a famous password, such as one used in a book or a movie? Do people see passwords being typed on screen and think “hey, now that is a pretty good password…”? I downloaded the Exploit.in combo list containing over seven hundred million leaked logins and tried to look how often than happens.

Famous passwords used in real leaked passwords:

The clear winner here is Mission Impossible with 948 password containing AW96B6. A nice second is TrustNo1 from The X-Files which appears in 629 passwords. Next we have 386 passwords containing Swordfish – a classic password from 1932 with its own Wikipedia page.
The safe combination from Inception, 528491 is used in 168 passwords, sometimes accompanied by character names like 528491c0bb or eames528491.

“Damn it, Ethan, you don’t have to press Caps Lock for each letter…”

I thought many The Lord of the Rings fans will choose “Speak Friend” as their password – but not even one person did. The elf word for “friend”, Mellon, appears 107 times. We also have 6 YouShallNotPass, and even one SpamShallNotPass.
Finally, there are 11 My Preciouses, including My Cat Precious and My Precious Girl (which still count! we have to be fair toward other phrases that didn’t get this level of scrutiny).

Movie or Book Title	Password	Count
Mission Impossible	AW96B6	948
The X-Files	TrustNo1	629
Horse Feathers	Swordfish	386
Die Hard	Akagi (Whole word)	241
Inception	528491 (Exact number)	168
LotR	Mellon	107
Arabian Nights	Open Sesame	37
Watchmen	Rameses 2	18
Casino Royale	836547 (Exact number)	14
LotR	My Precious	11
LotR	Shall Not Pass	7
Watchmen	Rameses II	6
National Treasure	Valley Forge	3
Who Framed Roger Rabbit	Walt sent me	1
The Net	Natoar23ae	1
Tron	Reindeer Flotilla	0
Matrix	Zion 0101	0
LotR	Cannot Pass	0

Harry Potter

I didn’t plan on having so many Harry Potter passwords, but the good people at wikia made it too easy – they have a page with dozens of passwords used in the books. I’ve split them into three types:

Harry Potter passwords that are also Latin or other known phrases or snacks:

Password	Count
Acid Pops	377
Fizzy Pop	259
Baubles	241
Alea iacta est	179
Catweazle	135
Quid Agis	31

Harry Potter Pass-phrases

Password	Count
Dumbledore	23
Balderdash	8
Studious Success	6
Tapeworm	3
Caput Draconis	2
Flibbertigibbet	2
Pig Snout	1
Fortuna Major	1

Passwords based on Harry Potter spells:

Spell	Brief Description	Count
Accio	(Contained in password as a whole word) Fetch something. Reasonable password.	885
Accio	(The whole password is just “accio” with no additional characters.)	555
Stupefy		223
Alohomora	Open locks. Makes sense.	68
Imperio		35
Crucio		17
Avada Kedavra		15
Expelliarmus		9
Sectumsempra		5
Impedimenta		3
Reparo		3
Expecto Patronum		2
Confundus		1

No muggle had used any of the following passwords:
Wattlebird, Oddsbodikins, Scurvy Cur, Banana Fritters, Fairy Lights, Mimbulus Mimbletonia, Abstinence, Dilligrout, Sherbet lemon, Cockroach cluster, Fizzing Whizzbees, Toffee Eclairs, Chocolate Frogs, Dissendium, Slytherins are Supreme, Facta non verba, Sea Serpent, This Password is Absurd, Libraries Liberate, Dragon s Egg, Light against Darkness, Chops and Gravy, Dashing Cadogan, Forget Me Never, Lunartickle, Surreptitiousness, Wanglewort, up to no good, nor Mischief Managed.

I see “This Password is Absurd” is up for grabs, so I’m calling it – this is my password now.

Technical Details

I’ve found the combo list on Google. It took me about an hour before I know the term “combo” or the name “Exploit.in”. I will not link it from here though.
The combo contains 111 files with lines in the format {email}:{password}, for example:

jane@example.com:12345
bob@example.com:pa$$word

From each line I’ve kept just the password and the TLD. I’ve loaded all data to an SQLite database, and grouped identical rows – keeping the count, of course. Having the data SQL made analyzing it very easy.
To automate some of queries I used KNIME – not so much for its analytics, mainly because is automatically saves results to disk.

Password comparisons were all case-insensitive, and multi-word password are filtered using SQL Like, as where password like '%fizzy%pop%'.

Bonus

2,289,587 Spaceballs fans use 12345 as the first number in their passwords. 601,874 have 12345 as their entire password.

Getting Stack Overflow votes by choosing a cuter icon

I have posted 1,386 answers on Stack Overflow. That’s quite a lot.
A few of my answers are popular – they pop up on Google as top results. Some of these get voted every day. Even when I am not active on Stack Overflow, I still get a few dozens reputation points almost daily. Lucky me!
Recently I got an idea – are people more likely to vote if they like the user icon? Can changing my icon get me more votes each day?
Currently I have over 93K reputation points – would I have gotten to 100,000 already had I a different icon all of these years?
I checked.

I picked my 30 most popular answers and tracked the votes they were getting each hour. I also tracked how many views and votes their questions were getting.
Each week on Sunday I changed my user icon. Here are the icons I used:

• The flag of the United States of America. The greatest country in the world.
• The flag of India.
• A photo of a plush fox from Japan.
• My wife Suzi wearing a hat. She volunteered.
• Me and my regular icon. Looking at it again, it is a little over-exposed, and I look a little pale.

Results

Both flags performed poorly, while the Fox and Suzi Wearing a Hat did best.
It also makes sense to look at how many views we got each day:


The number of views is similar each week. Still, relative to the total number of views, it looks like Fox performed a little better than Suzi Wearing a Hat. This trend also appears on a daily breakdown:

Flags

I picked the flags of the USA and India mainly because of the time difference between them – there is almost no intersection of the working hours between India and the USA. I wanted to see if the icon affects the times I was getting votes. That didn’t work:

Question Statistics

The question voting statistics weren’t constant either. This reflects poorly on the previous results – it is possible it is all random.

Is this a thing? Time for Round II!

I took the Fox and the USA flag to a second round, to see how they did:
Even after a month the fox and flag had consistent results!

Conclusion?

I think it worked! Changing the icon seems to affect how many votes I’m getting.
Thanks!

Disclaimers

1. Maybe the numbers are too small for a meaningful conclusion.
2. I don’t even know enough statistics to write an Hello World program in R.
3. There was an outlier during the second USA flag run – one question received a lot of views. It doesn’t affects the results much, even when zeroed out.
4. USA Flag re-run got a down-vote. I didn’t count it.
5. In 2017-06-01 the icon Kobi stole one vote from Suzi Wearing a Hat. Its score should be a little higher.
6. All times suffer from an off-by-one error: each hour at X:17 I took statistics that belong to X-1:00. I don’t really care.

Bonus: