{"id":2377,"date":"2026-04-09T01:03:59","date_gmt":"2026-04-09T01:03:59","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/"},"modified":"2026-04-09T01:03:59","modified_gmt":"2026-04-09T01:03:59","slug":"number-usage-in-passwords-take-two-thu-apr-9th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/","title":{"rendered":"Number Usage in Passwords: Take Two, (Thu, Apr 9th)"},"content":{"rendered":"<div>\n<p>In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially when password change requirements include frequenty password changes. Some examples we might see today:<\/p>\n<ul>\n<li data-end=\"467\" data-section-id=\"hcioou\" data-start=\"452\"><code data-end=\"467\" data-start=\"454\">Spring2026!<\/code><\/li>\n<li data-end=\"480\" data-section-id=\"1cn2xel\" data-start=\"468\"><code data-end=\"480\" data-start=\"470\">Spring26<\/code><\/li>\n<li data-end=\"494\" data-section-id=\"1kd4l6w\" data-start=\"481\"><code data-end=\"494\" data-start=\"483\">April2026<\/code><\/li>\n<li data-end=\"509\" data-section-id=\"1hu783s\" data-start=\"495\"><code data-end=\"509\" data-start=\"497\">April@2026<\/code><\/li>\n<li data-end=\"528\" data-section-id=\"cvbx1p\" data-start=\"510\"><code data-end=\"528\" data-start=\"512\">AprilShowers26<\/code><\/li>\n<li data-end=\"542\" data-section-id=\"1cyuwvh\" data-start=\"529\"><code data-end=\"542\" data-start=\"531\">Bloom2026<\/code><\/li>\n<li data-end=\"558\" data-section-id=\"tcm5yz\" data-start=\"543\"><code data-end=\"558\" data-start=\"545\">Easter2026!<\/code><\/li>\n<li data-end=\"575\" data-section-id=\"l3i1jl\" data-start=\"559\"><code data-end=\"575\" data-start=\"561\">Passover2026<\/code><\/li>\n<\/ul>\n<p>How is this data represented within passwords submitted to honeypots? Are bots updated to incorporate new year values at certain intervals?\u00a0<\/p>\n<p><strong>Date range of data:<\/strong> 4\/\/21\/2024 &#8211; 3\/29\/2026<br \/>\n<strong>Number of unique passwords:<\/strong> 496,562<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 500px;\"><br \/>\nFigure 1: Top 10 contiguous numbers used in passwords submitted to sample of DShield honeypots.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>When looking at contiguous numbers used within passwords, we see similar data\u00a0from a couple of years ago. The top two contigious numbers seen within passwords submitted to honeypots were &#8220;123&#8221; and &#8220;1&#8221;. However, rather than many of the other high volume contiguous numbers representing a subset of &#8220;123456&#8221;, the passwords included other numbers such as &#8220;100000&#8221;, &#8220;19&#8221;, &#8220;69&#8221;, &#8220;200&#8221;.<\/p>\n<p>It turns out that this activity was related to a potential DDoS or stress testing of and endpoing using ICMP. &#8220;100000&#8221; was the desired number of packets sent to the destionation host and the other numbers represented each octet of the destination IP.\u00a0<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure2.PNG\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 247px;\"><br \/>\nFigure 2: Passwords submitted to honeypots that were supposed to be commands run once access was gained to the honeypot.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>The source IP %%ip:147.45.47.117%% was attempting these commands between 11\/18\/2024 and 11\/24\/2024. The activity was seen on honeypots distributed in GCP, Digital Ocean, Azure and a residential honeypot. This was not seen on samples from an AWS honeypot.\u00a0<\/p>\n<p>Other activities from this source were seen between 11\/14\/2024 and 12\/1\/2024. Most of the sessions from this host are repeated attempts to download a script from %%ip:45.125.66.215%% and install it as a service.\u00a0<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure3_v2.PNG\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 1003px;\"><br \/>\nFigure 3: Repeated attempts to setup and install a service using a downloaded script from %%ip:45.125.66.215%%.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>Unfortunately, the\u00a0file was not downloaded by any of the honeypots, so there was not a file to reference.\u00a0<\/p>\n<p>Okay, back to passwords and number usage. Let&#8217;s take a look at number frequency use in the passwords submitted to honeypots.<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure3.PNG\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 500px;\"><br \/>\nFigure 4: Individual number frequency used within passwords submitted to honeypots.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>Similar to the previous review, generally the lower the number, the more frequently it&#8217;s used in a password. The most common digits used are &#8220;0&#8221;, &#8220;1&#8221;, &#8220;2&#8221; and &#8220;3&#8221;. What about 4-digit numbers?<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure4.PNG\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 500px;\"><br \/>\nFigure 5: Top 10 numbers used within passwords submitted to honeypots only containing 4 digits.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>This was also similar to the previous review. &#8220;1234&#8221; is still the most common and usually the most prevelant year seen is the prior year. We do see &#8220;2026&#8221; in this list, but since there&#8217;s only a few months of data, it hasn&#8217;t quite hit the volume of the previous year. One of the curiousities from this data is when these years get introduced. For example, when does &#8220;2026&#8221; start getting used within a password submitted to a honeypot?<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure6.PNG\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 286px;\"><br \/>\nFigure 6: Heatmap of years used within passwords and when they showed up in honeypot data.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>Overall, it appears that 4-digit numbers representing years\u00a0show up more prevalently in the year in which that\u00a0data was submitted to a honeypot. From Figure 6, we see that &#8220;2025&#8221; shows up most frequently in data captured from honeypot logs in 2025. This also appears similar for &#8220;2024&#8221;. An item that was surprising when looking at the data, is that there were already some hits for &#8220;2027&#8221;.\u00a0<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure7.PNG\" style=\"border-width: 1px; border-style: solid; width: 1001px; height: 429px;\"><br \/>\nFigure 7: Passwords containing year and their volume over time, showing a small number of submissions containing &#8220;2027&#8221;.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<table align=\"center\" border=\"1\" cellpadding=\"1\" cellspacing=\"1\" style=\"width:500px;\">\n<thead>\n<tr>\n<th scope=\"col\">Year contained in password<\/th>\n<th scope=\"col\">First seen in samples<\/th>\n<th scope=\"col\">Example password<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\">11\/1\/2023<br \/>\n\t\t\t(found in expanded dataset)<\/td>\n<td style=\"text-align: center;\"><code>sysadmin2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\">4\/5\/2024<\/td>\n<td style=\"text-align: center;\"><code>@dm1n2025<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\">5\/6\/2024<\/td>\n<td style=\"text-align: center;\"><code>@2026<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2027<\/td>\n<td style=\"text-align: center;\">8\/11\/2024<\/td>\n<td style=\"text-align: center;\"><code>2027<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><strong>Figure 8: Passwords containing recent years, when they first appeared in the dataset along with some example passwords.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>Most of the passwords containing what could be a year are introduced the year before. However, that may vary widely from the beginning to the end of the previous year.\u00a0There are also many other &#8220;future&#8221; years seen within the dataset.\u00a0<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure8.PNG\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 667px;\"><br \/>\n<strong>Figure 9: Heatmap of future years used within passwords from data collection, showing &#8220;2023&#8221; was heavily used in the data collected near the end of 2024.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<table align=\"center\" border=\"1\" cellpadding=\"1\" cellspacing=\"1\" style=\"width:500px;\">\n<thead>\n<tr>\n<th scope=\"col\">Year contained in password<\/th>\n<th scope=\"col\">First seen in samples<\/th>\n<th scope=\"col\">Example password<\/th>\n<th scope=\"col\">Password submission source<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\">2028<\/td>\n<td style=\"text-align: center;\">4\/27\/2024<\/td>\n<td style=\"text-align: center;\"><code>020283<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:27.47.108.14%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2029<\/td>\n<td style=\"text-align: center;\">4\/27\/2024<\/td>\n<td style=\"text-align: center;\"><code>220291<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:27.47.108.14%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2030<\/td>\n<td style=\"text-align: center;\">4\/21\/2024<\/td>\n<td style=\"text-align: center;\"><code>1020304050<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:124.220.63.230%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2031<\/td>\n<td style=\"text-align: center;\">4\/24\/2024<\/td>\n<td style=\"text-align: center;\"><code>19820313<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:103.174.9.66%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2032<\/td>\n<td style=\"text-align: center;\">4\/24\/2024<\/td>\n<td style=\"text-align: center;\"><code>19820320<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:103.174.9.66%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2033<\/td>\n<td style=\"text-align: center;\">4\/27\/2024<\/td>\n<td style=\"text-align: center;\"><code>110220330<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:27.47.108.14%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2034<\/td>\n<td style=\"text-align: center;\">8\/11\/2024<\/td>\n<td style=\"text-align: center;\"><code>2034<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:45.90.13.172%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2035<\/td>\n<td style=\"text-align: center;\">5\/5\/2024<\/td>\n<td style=\"text-align: center;\"><code>235842035<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:185.161.248.247%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2036<\/td>\n<td style=\"text-align: center;\">4\/27\/2024<\/td>\n<td style=\"text-align: center;\"><code>3203672<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:27.47.108.14%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2037<\/td>\n<td style=\"text-align: center;\">8\/11\/2024<\/td>\n<td style=\"text-align: center;\"><code>2037<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:45.90.13.172%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2038<\/td>\n<td style=\"text-align: center;\">4\/27\/2024<\/td>\n<td style=\"text-align: center;\"><code>020384<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:27.47.108.14%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2039<\/td>\n<td style=\"text-align: center;\">4\/27\/2024<\/td>\n<td style=\"text-align: center;\"><code>220391<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:27.47.108.14%%<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2040<\/td>\n<td style=\"text-align: center;\">4\/24\/2024<\/td>\n<td style=\"text-align: center;\"><code>19820402<\/code><\/td>\n<td style=\"text-align: center;\">%%ip:103.174.9.66%%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><strong>Figure 10: Passwords containing future\u00a0years, when they first appeared in the dataset along with some example passwords.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>In the cases where a future year is being used, the passwords likely have nothing to do with that year. However, there are a few examples that could be dates:<\/p>\n<ul>\n<li><code>19820313<\/code>: 03\/13\/1982<\/li>\n<li><code>19820320<\/code>: 03\/20\/1982<\/li>\n<li><code>19820402<\/code>: 04\/02\/1982<\/li>\n<\/ul>\n<p style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure9.PNG\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 600px;\"><br \/>\n<strong>Figure 11: In most cases, the years are used at the end of the password, rather than in the middle or beginning of the password.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>From the examples, focusing on a 4-digit number that&#8217;s added to the end of a password could give us more representative examples of a number used intentionally to represent a year. Passwords containing &#8220;2027&#8221; for example, have a very different distribution on where they appear in the passwords. We see a much higher liklihood of &#8220;2027&#8221; being in a variety of locations, rather than just at the end of the password.\u00a0<\/p>\n<p>There are also many numbers that could represent specific dates.\u00a0<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure12.png\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 413px;\"><br \/>\nFigure 12: Examples of numbers that could represent dates using diffrent formats.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>Depending on the numbers, it can be difficult to know\u00a0whether numbers representing days or months come first, but can be clearly determined when a day is greater than 12 since a month cannot have a value greater than 12. Some of these dates are found in passwords that have more content, but in most\u00a0cases the date alone is used as the password. Some examples:<\/p>\n<ul>\n<li><code>w@terloo19051954<\/code><\/li>\n<li><code>01011958<\/code><\/li>\n<li><code>25031959<\/code><\/li>\n<li><code>01011960<\/code><\/li>\n<li><code>17101971<\/code><\/li>\n<li><code>20101971<\/code><\/li>\n<li><code>24101971<\/code><\/li>\n<li><code>www.txwscx.comsritgyxf2sxy19831122zx<\/code><\/li>\n<li><code>19831123<\/code><\/li>\n<li><code>20261017<\/code><\/li>\n<li><code>20261109<\/code><\/li>\n<li><code>20261111<\/code><\/li>\n<\/ul>\n<p>For the passwords identified as possibly having dates in a YYYYMMDD, MMDDYYYY or DDMMYYYY format (16,713), 88.9% (14,582) of them were just 8-digit numbers. It was interesting to see years from\u00a01958 to 2026. Could this be another habit of using dates of birth or just the current day in passwords?<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure13.png\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 454px;\"><br \/>\n<strong>Figure 13: Top 10 years seen in passwords if numbers\u00a0represent\u00a0specific dates in YYYYMMDD, MMDDYYYY or DDMMYYYY formats.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure14.png\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 384px;\"><br \/>\n<strong>Figure 14: Possible distrubution of months seen in\u00a0passwords if numbers\u00a0represent\u00a0specific dates in YYYYMMDD, MMDDYYYY or DDMMYYYY formats.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure18.png\" style=\"width: 881px; height: 1200px; border-width: 1px; border-style: solid;\"><br \/>\n<strong>Figure 15: Distribution of years found within the dates identified in passwords. There is a heavy focus on dates in the 1980s.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure15(1).png\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 384px;\"><br \/>\nFigure 16: Image showing possible &#8220;age&#8221; distributions based on different from dates seen in passwords from today.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>There is a high distribution of &#8220;0&#8221; year age dates. One hypothesis is that the current day is used within passwords, assuming someone changed their password that day and they used today&#8217;s date. Looking at general proximity, there were around 1,000 passwords submitted that included dates close to submission date. This represents about 94% of similar passwords submitted in a proximity of 180 days from the password submission date to a honeypot. If the password submitted to a honeypot contains a date and it&#8217;s close to the current date, it&#8217;s probably very close.\u00a0<\/p>\n<p style=\"text-align: center;\"><strong><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure16(1).png\" style=\"border-width: 1px; border-style: solid; width: 1000px; height: 371px;\"><br \/>\nFigure 17: Distribution of passwords containing dates close to the date of interaction with a honeypot.\u00a0<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>I really enjoyed\u00a0the heatmaps, but the largest one didn&#8217;t display well in this diary. It zooms in well [2], so feel free to download it <a href=\"https:\/\/www.dropbox.com\/scl\/fi\/nl995gb6yziostxttxrol\/2026-04-09_figure16.png?rlkey=mfu6oteed72ohwhae8ml9y24g&amp;st=192holxm&amp;dl=0\" target=\"_blank\">here<\/a>.\u00a0<\/p>\n<p>To finish things off, the most and least common passwords containing years from sample honeypot data:<\/p>\n<table align=\"center\" border=\"1\">\n<thead>\n<tr>\n<th>Capture Year<\/th>\n<th>Password<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>ubuntu@2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>postgres@2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>Qwer@2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>Admin@2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>dev@2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>2025<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>Azerty2025<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>P@ssw0rd@2025<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>Itsemoemo2025@Washere2025<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>Admin@2025<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>2026<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>claude2026!<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>20262026<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>admin2026<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>P@ssw0rd2026<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><strong>Figure 18: Most common passwords containing years from honeypot samples.\u00a0<\/strong><br \/>\n\u00a0<\/p>\n<table align=\"center\" border=\"1\">\n<thead>\n<tr>\n<th>Capture Year<\/th>\n<th>Password<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>bscs@2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>gameserver2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>dell1@2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>Redis@2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2024<\/td>\n<td style=\"text-align: center;\"><code>redhat2024<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>uqkxipImdQ97hzWScUrk20250402<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>100202500200<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>01022025<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>12025988<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2025<\/td>\n<td style=\"text-align: center;\"><code>001002025<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>test-2026<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>es!2026<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>P@ssw0rd2026~<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>ec2-user@2026<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">2026<\/td>\n<td style=\"text-align: center;\"><code>Ubuntu!2026<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><strong>Figure 19: Least common passwords containing years from honeypot samples.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>Keep years and dates, especially the current year,\u00a0out of your passwords.<\/p>\n<p>\u00a0<\/p>\n<p>[1]\u00a0<a href=\"https:\/\/isc.sans.edu\/diary\/Number+Usage+in+Passwords\/30540\" target=\"_blank\">https:\/\/isc.sans.edu\/diary\/Number+Usage+in+Passwords\/30540<\/a><br \/>\n[2]\u00a0<a href=\"https:\/\/www.dropbox.com\/scl\/fi\/nl995gb6yziostxttxrol\/2026-04-09_figure16.png?rlkey=mfu6oteed72ohwhae8ml9y24g&amp;st=192holxm&amp;dl=0\" target=\"_blank\">https:\/\/www.dropbox.com\/scl\/fi\/nl995gb6yziostxttxrol\/2026-04-09_figure16.png?rlkey=mfu6oteed72ohwhae8ml9y24g&amp;st=192holxm&amp;dl=0<\/a><\/p>\n<p>&#8212;<br \/>\nJesse La Grew<br \/>\nSenior Handler<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-2377","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Number Usage in Passwords: Take Two, (Thu, Apr 9th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Number Usage in Passwords: Take Two, (Thu, Apr 9th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-09T01:03:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Number Usage in Passwords: Take Two, (Thu, Apr 9th)\",\"datePublished\":\"2026-04-09T01:03:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/\"},\"wordCount\":1288,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/\",\"name\":\"Number Usage in Passwords: Take Two, (Thu, Apr 9th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png\",\"datePublished\":\"2026-04-09T01:03:59+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Number Usage in Passwords: Take Two, (Thu, Apr 9th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Number Usage in Passwords: Take Two, (Thu, Apr 9th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/","og_locale":"en_US","og_type":"article","og_title":"Number Usage in Passwords: Take Two, (Thu, Apr 9th) - Imperative Business Ventures Limited","og_description":"In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-04-09T01:03:59+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Number Usage in Passwords: Take Two, (Thu, Apr 9th)","datePublished":"2026-04-09T01:03:59+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/"},"wordCount":1288,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/","name":"Number Usage in Passwords: Take Two, (Thu, Apr 9th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png","datePublished":"2026-04-09T01:03:59+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/2026-04-09_figure1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/number-usage-in-passwords-take-two-thu-apr-9th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Number Usage in Passwords: Take Two, (Thu, Apr 9th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=2377"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2377\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=2377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=2377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=2377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}