Blog RSS Feed

Archive for January, 2017

Jesus is not your password

Friday, January 6th, 2017

At Christianity Today I have a piece today about bad passwords that Christians use: Beware of Making Jesus Your Password. I’m pretty excited that they kept the line about soccer.

Here I want to share the data behind the piece. The 32 million passwords come from the 2009 RockYou breach, available here. I used rockyou-withcount.txt.tar.gz.

The main list of passwords comes from (1) taking this list, (2) removing non-alphanumeric and leading and trailing numbers, (3) lower-casing the result, and (4) combining the totals. In the raw list, “jesus” is the 103rd most-common password; by normalizing it with these steps, it jumps to #30. The purpose here is to find the core part of the password. It’s good from a security perspective that people add leading and trailing (mostly trailing) numbers to their passwords, but they’re not so relevant here.

The list of “Christian” passwords is based on a different breach of a faith-based website. I pulled a bunch of patterns from passwords that were popular there.

Here’s the data behind the piece:

  1. normalized-passwords.zip. A list of 238,000 passwords following the normalization scheme I describe above. Every normalized password from RockYou that appeared at least ten times is here. Note that there’s extensive swearing.
  2. christian-passwords.txt. All 505 Christian-themed passwords.
  3. verse-passwords.txt. All 295 plausible verse references. Not all of them are actually references: for example, “daniel14” could refer to Daniel 1:4 (or even Daniel 14), but it’s most likely just someone’s name with the number “14” after it. So I don’t include it in the top-25 list that appears at CT.

These are my favorite tweets about it: