A research conducted by the anti-virus firm Avast has revealed that hackers use weak passwords just like everyone else. In fact after analysing a sample of nearly 40,000 passwords collected from years, Avast’s Antonín Hýža found that only 10 percent of passwords were "beyond normal capabilities of guessing or cracking." The researcher provided then some interesting statistics around hackers password choices.
"I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes," Avast's Antonin Hyza said in a blog post.
Almost none of the unique passwords from the samples contained uppercase characters, despite regular warnings by security experts to use a mix of upper- and lowercase characters for passwords, furthermore the researcher discovered that the average hackers’ password has a maximum six characters, contain lower case letters and numbers and it’s derived from the English language.
Here below some chart from the Avast blog explain better how the hackers passwords usually are: (Source: Antonín Hýža, Avast Blog, https://blog.avast.com/2014/06/09/are-hackers-passwords-stronger-than-regular-passwords/)
“On the table below the occurrence of lower-case alpha characters used in passwords is displayed. The most used character is letter aand letters f, j, v, w, y, z are used very seldom. This is the largest set of characters so 38 occurrences of lower-case letter q is still more frequently used than the upper-case character set where S has 28 occurrences. In the special character set, lower-case q is used almost the same as most frequently used “.” with count of 42.”
Upper case lettersand their occurrence is displayed on the next table. They are all very rarely used and when they are, it is either the first letter in the password, or the entire word is written with upper case letters. Only a few passwords actually uses a combination of both upper and lower case.
The next table shows which special characters are preferred by hackers and how much they use them to improve passwords. The first character in this table is a space and it revealed one interesting thing: One or five spaces could be a pretty clever password, but not very secure as it gets tested right from the beginning. Not all special characters are listed below because” , = ~ | [ ] “ were not used at all.
Source: Antonín Hýža, Avast Blog, https://blog.avast.com/2014/06/09/are-hackers-passwords-stronger-than-regular-passwords/