@WorstPasswords Twitter Bot
This is not the moment to say "haha, that is so me!" and like the tweet.
You are at an increased security risk.
With the release of ProbableWordlists V2, we have a more accurate evidence-based list of the world's most common passwords. The aim of the Probable-Wordlists project is to discourage the use of common passwords.
But, how do we know what passwords look like? Aren't they supposed to be secret? If you are never supposed to tell me your passwords, and I am never going to tell you mine, how do we know we aren't using the same passwords? How do we know we aren't using the same password as millions of other people? We need to be warned what passwords are too risky to use.
@WorstPasswords is a Twitter bot designed to do just this. Twice a day, it tweets a password from the list of the Top 747 Most Common Passwords. If someone witnesses the bot announcing their "secret" password, they may be driven to changing it to something far more secure. Hopefully, the bot will inspire them to take the first step towards a more security-minded internet presence.
It's really a simple bot, here is the entire workflow.
- Is it time to post?
- Okay, pick a wordlist to read from.
- Pick a random line from that list.
- Tweet a post based on that line.
- Wait until the next time to post.
It is incapable of querying any online lists or responding to mentions or direct messages. All it can do is tell time, pick numbers, and tweet.
Statistically, the top 25 passwords on the list are far, far more common than the bottom 747. However, a bot that only posts 25 passwords isn't very useful. I tried to strike a balance between tweeting the the top 25 and the bottom 722 passwords on the bot's list.
I accomplished this by including a "coin flip" concept, albeit using a very weighted coin.
- 20% of the time, the bot picks from the list of the Top 25 entries
- 80% of the time, the bot picks from the Bottom 722 entries.
This way, the bot pulls from a large enough pool of possibilities to have variety, but the passwords that are the most common are weighted to appear more often than those that don't.
The concept of "the Nth most common password" is fuzzy - there are ties. Some passwords are equally common. This is why the tweets don't say "this is the world's Nth most popular password."
If you are perusing the Probable Wordlists and suddenly see a section in obvious alphabetical order, you are seeing passwords that are all equally likely.
However, instead of tweeting out every single password from say, the 15th most common slot, the bot simply chooses one from the top 747 entries on the list.
Each one of the passwords in the bot's pool appeared at least 206 times in Probable Wordlist V2 analysis. This is unrelated to the fact that the smallest Probable-Wordlist is 207 lines long. But it is just a funny coincidence.
Using a common password is risky, but it is even more common to re-use passwords across accounts. I am very careful to say "one of your passwords" as opposed to "your password" for exactly this reason. Do not reuse passwords across accounts.
Do not reuse passwords across accounts.
Unique passwords can mean the difference between someone listening to music on your Spotify and writing emails in your name, gaining access to your bank account and posing as you to ask your Facebook friends for money.
This warning is possibly more important than awareness of the most common passwords - I had to include it.
Follow @WorstPasswords to help remember the most common passwords on the planet!
Please share to spread awareness and increase security.
