yes, it is.
Two days ago we made the same analysis. If you download the password list from have i been pwned, Have I Been Pwned: Pwned Passwords, ordered by prevalence you get a list of disclosed passwords sorted by prevalence : “how many times that password had been seen in the source data breaches”
Here is the first 5 more common passwords SHA1 hashed:
7C4A8D09CA3762AF61E59520943DC26494F8941B:23174662
F7C3BC1D808E04732ADF679965CCC34CA7AE3441:7671364
B1B3773A05C0ED0176787A4F1574FF0075F7521E:3810555
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8:3645804
3D4F2BF07DC1BE38B20CD6E46949A1071F9D0E3D:3093220
The first column is the password hashed (more about this later)
Second column is how many times that password has shown up in disclosed password leaks
As you may see the most popular password has been seen 23 174 662, 23.1 million times.
The one in the second place is quite far from the first one: 7 671 364, 7.6 million times. 1/3 of the first place
Regarding hashing, it is called a one way encryption I can encrypt a string of characters to a given hash. But given the hash you can not find the original string.
For example:
if I find the SHA1 sum for string abcdefg I will get:
2fb5e13419fc89246865e7a324f476ec624e8740
But given this sha1 sum you can not simply decrypt it to the original string.
However anytime you find out the sha1sum for abcdefg you will always get 2fb5e13419fc89246865e7a324f476ec624e8740
This is very popular way to store passwords (as well as for some other unrelated things): If the user types in the same password, then the same hash will be obtained and of course it will match the hash I have stored.
Lets find out the SHA1 hash for the string 123456 (Im using a linux shell but you may obtain any sha1 hash here)
$ echo -n “123456”|sha1sum
7c4a8d09ca3762af61e59520943dc26494f8941b –
hum… if you look closely, it will match the first row in the hash list above. So yes, it looks like the 123456 is the most popular one.
Assignment:
Which is the second one? You have to start guessing.. . try several common one passwords, eg: admin, root, qwerty, password (yes!! people uses password as a password), also try them cased, eg: Password, QWERTY, etc
I already discovered them … Good luck!