Can you think of a famous password, such as one used in a book or a movie? Do people see passwords being typed on screen and think “hey, now that is a pretty good password…”? I downloaded the Exploit.in combo list containing over seven hundred million leaked logins and tried to look how often than happens.
Famous passwords used in real leaked passwords:
The clear winner here is Mission Impossible with 948 password containing AW96B6. A nice second is TrustNo1 from The X-Files which appears in 629 passwords. Next we have 386 passwords containing Swordfish – a classic password from 1932 with its own Wikipedia page.
The safe combination from Inception, 528491 is used in 168 passwords, sometimes accompanied by character names like 528491c0bb or eames528491.
“Damn it, Ethan, you don’t have to press Caps Lock for each letter…”
I thought many The Lord of the Rings fans will choose “Speak Friend” as their password – but not even one person did. The elf word for “friend”, Mellon, appears 107 times. We also have 6 YouShallNotPass, and even one SpamShallNotPass.
Finally, there are 11 My Preciouses, including My Cat Precious and My Precious Girl (which still count! we have to be fair toward other phrases that didn’t get this level of scrutiny).
| Movie or Book Title | Password | Count |
|---|---|---|
| Mission Impossible | AW96B6 | 948 |
| The X-Files | TrustNo1 | 629 |
| Horse Feathers | Swordfish | 386 |
| Die Hard | Akagi (Whole word) | 241 |
| Inception | 528491 (Exact number) | 168 |
| LotR | Mellon | 107 |
| Arabian Nights | Open Sesame | 37 |
| Watchmen | Rameses 2 | 18 |
| Casino Royale | 836547 (Exact number) | 14 |
| LotR | My Precious | 11 |
| LotR | Shall Not Pass | 7 |
| Watchmen | Rameses II | 6 |
| National Treasure | Valley Forge | 3 |
| Who Framed Roger Rabbit | Walt sent me | 1 |
| The Net | Natoar23ae | 1 |
| Tron | Reindeer Flotilla | 0 |
| Matrix | Zion 0101 | 0 |
| LotR | Cannot Pass | 0 |
Harry Potter
I didn’t plan on having so many Harry Potter passwords, but the good people at wikia made it too easy – they have a page with dozens of passwords used in the books. I’ve split them into three types:
Harry Potter passwords that are also Latin or other known phrases or snacks:
| Password | Count |
|---|---|
| Acid Pops | 377 |
| Fizzy Pop | 259 |
| Baubles | 241 |
| Alea iacta est | 179 |
| Catweazle | 135 |
| Quid Agis | 31 |
Harry Potter Pass-phrases
| Password | Count |
|---|---|
| Dumbledore | 23 |
| Balderdash | 8 |
| Studious Success | 6 |
| Tapeworm | 3 |
| Caput Draconis | 2 |
| Flibbertigibbet | 2 |
| Pig Snout | 1 |
| Fortuna Major | 1 |
Passwords based on Harry Potter spells:
| Spell | Brief Description | Count |
|---|---|---|
| Accio | (Contained in password as a whole word) Fetch something. Reasonable password. | 885 |
| Accio | (The whole password is just “accio” with no additional characters.) | 555 |
| Stupefy | 223 | |
| Alohomora | Open locks. Makes sense. | 68 |
| Imperio | 35 | |
| Crucio | 17 | |
| Avada Kedavra | 15 | |
| Expelliarmus | 9 | |
| Sectumsempra | 5 | |
| Impedimenta | 3 | |
| Reparo | 3 | |
| Expecto Patronum | 2 | |
| Confundus | 1 |
No muggle had used any of the following passwords:
Wattlebird, Oddsbodikins, Scurvy Cur, Banana Fritters, Fairy Lights, Mimbulus Mimbletonia, Abstinence, Dilligrout, Sherbet lemon, Cockroach cluster, Fizzing Whizzbees, Toffee Eclairs, Chocolate Frogs, Dissendium, Slytherins are Supreme, Facta non verba, Sea Serpent, This Password is Absurd, Libraries Liberate, Dragon s Egg, Light against Darkness, Chops and Gravy, Dashing Cadogan, Forget Me Never, Lunartickle, Surreptitiousness, Wanglewort, up to no good, nor Mischief Managed.
I see “This Password is Absurd” is up for grabs, so I’m calling it – this is my password now.
Technical Details
I’ve found the combo list on Google. It took me about an hour before I know the term “combo” or the name “Exploit.in”. I will not link it from here though.
The combo contains 111 files with lines in the format {email}:{password}, for example:
1 2 | jane@example.com:12345bob@example.com:pa$$word |
From each line I’ve kept just the password and the TLD. I’ve loaded all data to an SQLite database, and grouped identical rows – keeping the count, of course. Having the data SQL made analyzing it very easy.
To automate some of queries I used KNIME – not so much for its analytics, mainly because is automatically saves results to disk.
Password comparisons were all case-insensitive, and multi-word password are filtered using SQL Like, as where password like '%fizzy%pop%'.
Bonus
2,289,587 Spaceballs fans use 12345 as the first number in their passwords. 601,874 have 12345 as their entire password.
The wikipedia article linked does not seem to exist. I did find one at a sie called “everybodywiki” that does indeed include mention of he 1932 film that seems to have first used it publicly in this context. https://en.everybodywiki.com/Swordfish_(password)
Pingback: Contraseñas de películas y libros, más inútiles que un semáforo en el GTA – Tekins
Hacker News: https://news.ycombinator.com/item?id=39329383
Pingback: Contraseñas de películas y libros, más inútiles que un semáforo en el GTA – Celulares, smartphones y tablets