Number Usage in Passwords: Take Two, (Thu, Apr 9th)

In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially when password change requirements include frequenty password changes. Some examples we might see today: Spring2026! Spring26 April2026 April@2026 AprilShowers26 Bloom2026 Easter2026! Passover2026 How is this data represented within passwords submitted to honeypots? Are bots updated to incorporate new year values at certain intervals? Date range of data: 4//21/2024 - 3/29/2026 Number of unique passwords: 496,562 Figure 1: Top 10 contiguous numbers used in passwords submitted to sample of DShield honeypots. When looking at contiguous numbers used within passwords, we see similar data from a couple of years ago. The top two contigious numbers seen within passwords submitted to honeypots were 123 and 1 . However, rather than many of the other high volume contiguous numbers representing a subset of 123456 , the passwords included other numbers such as 100000 , 19 , 69 , 200 . It turns out that this activity was related to a potential DDoS or stress testing of and endpoing using ICMP. 100000 was the desired number of packets sent to the destionation host and the other numbers represented each octet of the destination IP. Figure 2: Passwords submitted to honeypots that were supposed to be commands run once access was gained to the honeypot. The source IP %%ip:147.45.47.117%% was attempting these commands between 11/18/2024 and 11/24/2024. The activity was seen on honeypots distributed in GCP, Digital Ocean, Azure and a residential honeypot. This was not seen on samples from an AWS honeypot. Other activities from this source were seen between 11/14/2024 and 12/1/2024. Most of the sessions from this host are repeated attempts to download a script from %%ip:45.125.66.215%% and install it as a service. Figure 3: Repeated attempts to setup and install a service using a downloaded script from %%ip:45.125.66.215%%. Unfortunately, the file was not downloaded by any of the honeypots, so there was not a file to reference. Okay, back to passwords and number usage. Let's take a look at number frequency use in the passwords submitted to honeypots. Figure 4: Individual number frequency used within passwords submitted to honeypots. Similar to the previous review, generally the lower the number, the more frequently it's used in a password. The most common digits used are 0 , 1 , 2 and 3 . What about 4-digit numbers? Figure 5: Top 10 numbers used within passwords submitted to honeypots only containing 4 digits. This was also similar to the previous review. 1234 is still the most common and usually the most prevelant year seen is the prior year. We do see 2026 in this list, but since there's only a few months of data, it hasn't quite hit the vo