A Security Analysis of Over 500 Million Usernames and Passwords


Kyle Lady, Duo’s Senior R&D Engineer, wrote up a blog about Duo Labs’ analysis of the Anti Public Combo List. This is over 500 million usernames/passwords aggregated from data breaches/password dumps.

Most accounts were consumer accounts - nearly half of usernames end in yahoo.com; 7% in aol.com. Only 1.7% of the accounts were domains from large companies.

Kyle also breaks down the average length of passwords, the mean number of numbers used per password, uppercase and symbols, and so on.

Check out the blog for specifics including his top 10 passwords list and tips for checking to see if your account credentials have been breached.