All Posts programming What are the most common password patterns ? A TLDR answer

What are the most common password patterns ? A TLDR answer

ยท 1057 words ยท 5 minute read

I was curious about how similar people think while creating their passwords. How people compose their passwords? What is the common patterns people use the most ?

I am familiar with Kali Linux (the offensive security focused Linux distro), Hashcat, Aircrack-ng, Crunch, .. and many other cracking tools.

The idea ๐Ÿ”—

I thought of a way to compute the most common password patterns (also known as masks). Here is the idea in steps.

  • download a huge passwords database (a wordlist) such as rockyou.txt
  • replace all uppercase letters with its masking symbol
  • replace all lowercase letters with its masking symbol
  • replace all digits with its masking symbol
  • count each password
  • sort them to get the top 10 (or top 50)

simplified masking symbols ๐Ÿ”—

Th popular masking symbols are two character long to be usable around normal letters and digits, but I do not need the masking symbols to be in the same word/mask/pattern with normal letters and symbols and digits, so, no need to make them 2 characters.

If you choose the letter u to be the placeholder for an uppercase letter (capital letter), it is confusing if you use it in a mixed mask such as 012uAbckL. To fix that software developers make it two-letter placeholder ?u as in 012?uAbckL and it can be interpreted/translated successfully to its meaning/reference without any confusion.

But my usage is distinct. I do not use mixed mask. I have mask (pattern) only. So, I will use placeholders or symbols that are single-letter only.

Here is the table of popular mask symbols/placeholders, my simplified mask placeholders, and their meaning/reference.

masksimplified maskmeaning
?dd(d)igit
?ss(s)ymbol
?aaletter ignoring the case
?ll(l)owercase/small letter
?uu(u)ppercase/capital letter
nsingle space

Manipulating the wordlist ๐Ÿ”—

I downloaded RockYou wordlist from GitHub.

I made a local copy of it to prepare it for manipulations, using this command.

cp ~/Downloads/rockyou.txt ~/Downloads/rockyoumasked.txt

Replace all uppercase letters with its masking symbol u.

sed 's/[A-Z]/u/g' -i ~/Downloads/rockyoumasked.txt

Then, replace all lowercase letters with its masking placeholder l:

sed 's/[a-z]/l/g' -i ~/Downloads/rockyoumasked.txt

Then, replace all digits with its mask placeholder d:

sed 's/[0-9]/d/g' -i ~/Downloads/rockyoumasked.txt

Then replace all spaces with the masking placeholder I chose, n.

sed 's/ /n/g' -i ~/Downloads/rockyoumasked.txt

If the wordlist is using only latin letters, then, you can replace all characters that are not letters nor digits nor a newline nor a space nor a tab space with the symbol placeholder s because we can assume that other characters are symbols.

sed 's/[^a-zA-Z0-9\n\t ]/s/g' -i ~/Downloads/rockyoumasked.txt

If you insist on replacing symbols by identifying them, then replace them with the symbol mask placeholder s, use this command:

sed 's/[!@#$%\^&\*\()_+-=]\[\{}\'";:/?\.>,\<]/s/g' -i ~/Downloads/rockyoumasked.txt

Note: make sure to add all symbols inside the square brackets in the above command.

After converting all passwords inside this huge wordlist into their masks, let’s do some statistics.

count the masks ๐Ÿ”—

I use GNU utils to sort password masks inside the wordlist, then use uniq to get count of each uniq line (the line is just a password mask).

sort ~/Downloads/rockyoumasked.txt | uniq -c > ~/Downloads/passwords_count.txt

I save that statistics of each password mask and its count into a new plain text file called passwords_count.txt as you can see in the command above.

The plain-text file contains password mask count and the password mask itself, but they are not sorted from the most common to less common. So, use the following command to sort masks by the most used.

sort -nr < ~/Downloads/passwords_count.txt > ~/Downloads/passwords_count_sorted.txt

Now, we have a list of most used passwords encoded as masks in a plain text file showing the most common password masks first.

Let’s see the top 10 password masks.

Top 50 used password patterns ๐Ÿ”—

The total count of passwords in the original wordlist is 359,944,739 passwords in one huge plain text file.

The percentage (%) column in the table below is the share of this password mask/pattern to the total passwords in the original file.

countmasklength%
34,877,549llllllll89.69%
17,465,957lllllllll94.85%
16,664,585llllllllll104.63%
16,588,606lllllll74.61%
14,095,240llllll63.92%
14,046,137lllllllllll113.90%
7,413,092llllllllllll122.06%
5,805,531llllllllllll121.61%
5,789,812lllllllllllll131.61%
4,190,727llllllllllllll141.16%
3,916,722lllllllllllll131.09%
3,770,841lllllldd81.05%
3,649,474llllllld81.01%
3,601,748lllllllld91.00%
3,395,198llllllllld100.94%
3,111,376llllllldd90.86%
2,686,000lllllllllllllll150.75%
2,675,716llllllllllllll140.74%
2,637,473lllllllldd100.73%
2,606,559lllllllllld110.72%
2,455,234llllllddd90.68%
2,351,061lllll50.65%
2,342,710lllllldd80.65%
2,203,440lllldddd80.61%
2,052,082lllll50.57%
1,972,305llllldd70.55%
1,896,677llllllllllld120.53%
1,889,984llllllld80.53%
1,831,417lllllllddd100.51%
1,814,263llllllllllllllll160.50%
1,799,641lllllldddd100.50%
1,773,600lllllldddd100.49%
1,753,626lllllllld90.49%
1,714,648llllldddd90.48%
1,702,548lllllddd80.47%
1,692,154lllldddd80.47%
1,675,035llllllllld100.47%
1,646,644lllllllllllllll150.46%
1,642,673ddddddddd90.46%
1,599,019llllllldd90.44%
1,598,471lllllllldd100.44%
1,461,202llllldddd90.41%
1,437,419lllllddd80.40%
1,432,825lllllllllllld130.40%
1,408,672lllldd60.39%
1,369,412llllldd70.38%
1,350,413lllllld70.38%
1,344,394llllllllddd110.37%
1,310,837llllllllllllllllllll200.36%
1,299,767lllllllllld110.36%
220,810,51661.35%

All top 50 password patterns combined represent 61% of total passwords created and leaked into the wordlist used (RockYou).

Here are what I noticed:

  • people often prefer lowercase letters more than uppercase letters and that’s what I thought too.
  • people often prefer lowercase letters more than digits and that’s counterintuitive to me. I thought people would prefer digits and numbers, but today I learned that they don’t.
  • people do not include symbols in their passwords.
  • the longer the password is, the more it is just lowercase letters only.
  • when people create a password with lowercase letters and numbers, they put the numeric digits at the end of the password.
  • these patterns and the similarities in them would make it easier to crack passwords because people are more predictable than I thought.

I hope you enjoyed reading this post as much as I enjoyed writing it. If you know a person who can benefit from this information, send them a link of this post. If you want to get notified about new posts, follow me on YouTube , Twitter (x) , LinkedIn , and GitHub .

Translations:  ุงู„ุนุฑุจูŠุฉ (ู…ุง ู‡ูŠ ุฃูƒุซุฑ ุงู„ุฃู†ู…ุงุท ุงู„ุชูƒุฑุงุฑูŠุฉ ู„ุชูƒูˆูŠู† ูƒู„ู…ุงุช ุงู„ู…ุฑูˆุฑ ุŸ ุงู„ุฅุฌุงุจุฉ ุจุฅุฎุชุตุงุฑ)