Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Leaked Password Data Reveals, the Most Common Christmas-Related Passwords

December 2020 by Specops Software

Although everyone knows their passwords should be strong and safe in order to protect their personal data, very often people choose to ignore this and opt for weaker passwords that are more susceptible to hacks.

As Christmas edges closer, decorations are out in full force and the holiday spirit is growing. But, how caught up do people really get? analysed 800 million passwords from Specops Software’s Breached Password Protection* database in order to reveal the most leaked Christmas-related passwords that are currently being unsafely used by millions of people.

Which are the most commonly leaked Christmas-related passwords?
1. Star
2. Angel
3. God
4. Elf
5. Jesus
6. Snow
7. Carol
8. Noel
9. Santa
10. Chocolate
11. Gift
12. Bells
13. December
14. Xmas
15. Jolly

After looking at millions of passwords that have been leaked, discovered that star is the least secure Christmas-related password. Although the number of times this password has been compromised cannot be released, star was found to be leaked 52 times more than jolly - the 15th most used Christmas-themed password.

The second most leaked Christmas-related password is angel, as lots of people use it to protect their accounts and data. Interestingly, angel was found to occur in 47 times more passwords than jolly.

God is the third most used password, according to’s leaked password database. This word has been used 46 times more than the fifteenth-most used password, jolly.

In fourth, fifth, and sixth place are elf, Jesus and snow. Elf appears almost two times more than Jesus and Jesus is used seven times more than bell, which ranks in 12th.

The world carol has been used very often by those looking to protect their data, placing it in seventh overall. In the leaked password database, Carol has been leaked eight times more than xmas - which places in 14th position. Darren James, Product Specialist with Specops Software, commented on the findings: “With the winter holidays right around the corner, we asked our research team to dig into which holidays are most popular, we analysed over 800 million breached passwords to find out.”

“The reason people choose holiday-related terms when creating their passwords is because they struggle to make a password that is both secure and memorable,” James said. “This results in weak passwords that follow predictable patterns and are reused between different services. These passwords are easy to guess and commonly appear in lists of breached passwords.” “This data, while fun, will come as no surprise to the IT admins we talk to. They’re often aware that the passwords their employees are using are common or weak, but it can be hard to measure it,” continued James. “If you’re looking to quantify the weak or leaked password problem in your environment, I’d recommend running a scan with our free Password Auditor.”

The compromised password problem can be an expensive one. IBM recently reported the global average cost of a data breach in 2020 to be $3.86 million. Specops Software’s top tips for creating a strong password:

1. #thinkrandom
Three random words, also known as #thinkrandom, is an initiative from the NCSC to educate the general public on how to choose secure passwords that are still easy to remember. The initiative was introduced to undo years of security advice that told people to combine different character types when creating passwords. Research has since found that character complexity requirements failed to achieve what it set out to do – make passwords harder to crack. Its failure can be blamed on people following the same character composition patterns (i.e. capital letter to start, number at the end, replacing the letter s with $, etc).

2. Easy to guess passwords
The three random words initiative is designed to address billions of weak passwords that are easy to guess. This means that even without sophisticated password cracking techniques, hackers can come up with likely passwords to try on different accounts, either in a credential stuffing attack or in a targeted attack against an individual. Easy-to-guess passwords with multiple character types include: Liverpool#1, Pa$$word7, Spring2020!. Examples of three random words passwords provided by the NCSC include: coffeetrainfish, walltinshirt.

3. Falls short to brute force
Critics of the #thinkrandom advice often bring up the time needed to break a password hash in a brute-force attack. When comparing two 14-character long passwords, one with three random words and one randomly generated using multiple character types, the multiple-character type password will take longer to crack in a brute force attack. This article explains the math to back up the criticism and recommends a Password Manager as a solution to needing to remember so many randomly-generated passwords.
Proponents of the advice believe in providing tips that the general public can follow, in order to improve the security of passwords. While critics of the advice can point out the most sophisticated randomly-generated passwords and show how these are more secure, both are right, but they represent extremes of the password security spectrum. Is there a middle ground that uses easy-to-follow advice and combines this with another layer of protection?

4. Make three random words more secure
One way to improve the security of the three random words advice is to combine it with a password deny list of known compromised passwords. A compromised password deny list is designed to prevent a password dictionary attack, where a hacker uses a password list from a previous data breach to gain access to an account. The breached password deny list improves the security of the three random words passwords by blocking passwords that have appeared on previous data breaches. This way people can choose passwords that they can remember, and are also not published online for hackers to use. Will this make it harder for people to choose three random words passwords? No, if people follow the advice and choose words at random, it will not be difficult to find passwords that do not appear on the compromised passwords list.

5. Make your password long enough
When it comes to making strong passwords, the single most important factor is the length of the password. As long as a password isn’t easily guessable by other means (e.g. use of common words, username, repeating characters) length is your best friend for mitigating brute force attacks. *Specops Breached Password Protection works together with Specops Password Policy so that companies can block all passwords found on the list of over two billion compromised passwords, making it easy to comply with industry regulations, such as NIST or Cyber Essentials. The service blocks people from choosing banned passwords and informs the user as to why they cannot use the password.

See previous articles


See next articles