496,562 unique passwords. Captured by DShield honeypots from April 21, 2024, to March 29, 2026. That’s the raw fuel for understanding number usage in passwords—the sneaky digits hackers (and bots) love to cram into their guesses.
Look. Picture a digital fossil record. These aren’t real user creds; they’re what attackers try when probing fake login traps. And the numbers? They tell stories—stories of laziness, foresight, even bot herders syncing calendars a year ahead.
Top Contiguous Numbers Bots Can’t Quit
“123” tops the list. Then “1”. Familiar? Dead ringer for two years back. But here’s the twist—not just lazy “123456” riffs. We’re seeing “100000”, “19”, “69”, “200”. Why? Turns out, one IP—147.45.47.117—wasn’t cracking passwords. It was stress-testing endpoints via ICMP. Those numbers? Packet counts and IP octets.
From November 18 to 24, 2024, this pest hit GCP, DigitalOcean, Azure, even residential honeypots. Skipped AWS, oddly. And it didn’t stop there—repeated script downloads from 45.125.66.215, trying to install who-knows-what as a service. File never landed, thank goodness.
Single digits follow the script: “0”, “1”, “2”, “3” dominate. Low numbers win, always have.
Four-digit combos? “1234” reigns. Years trail close—last year’s vintage leads, naturally. “2026” peeks in, but data’s young.
When Do Bots Start Guessing Future Years?
Heatmaps don’t lie. Years spike in their own calendar year—“2025” explodes in 2025 logs, “2024” ditto. Surprising? Hits for “2027” already, tiny but real.
An item that was surprising when looking at the data, is that there were already some hits for “2027”.
Table nails first sightings:
| Year | First Seen | Example |
|---|---|---|
| 2024 | 11/1/2023 | sysadmin2024 |
| 2025 | 4/5/2024 | @dm1n2025 |
| 2026 | 5/6/2024 | @2026 |
| 2027 | 8/11/2024 | 2027 |
Most pop up the prior year—late or early varies. “2027”? August 2024. Bots ahead of us.
Zoom out: future years galore. “2028” from April 27, 2024 (IP 27.47.108.14, password “020283”). “2029” same day, same source. “2030” even earlier. One IP (103.174.9.66) spits birthdate-y combos like “19820313”, “19820320”.
And “2023”? Heavily used end of 2024. Time travelers, these bots.
But wait—examples like “Spring2026!”, “AprilShowers26”, “Easter2026!”. Seasonal flair meets policy-forced changes. Frequent resets breed this: years, holidays, predictable as sunrise.
Why Does This Matter for Tomorrow’s Defenses?
Here’s my take, the one you won’t find in the raw data: this mirrors the Morris Worm’s birthday problem from ‘88. Back then, simple guesses cracked 10% of early Unix boxes—predictable users, dumb machines. Today? Bots echo that, but scaled to billions. They’re not AI geniuses yet (no wild perplexity here), just scrapers of leaked lists, updated yearly like clockwork.
Prediction: by 2027, expect ML-tuned guessers. Not just “2028”—but “Spring2028WithAI!”, laced with your leaked data. Honeypots prove bots lag humans by months, but closing fast. Corporate PR spins “passwordless future”—hype. Reality? Numbers stick because we’re creatures of habit.
Unique insight? These patterns scream botnet economics. Herders refresh lists quarterly (see “2026” in May ‘24), minimizing compute waste. It’s efficient malice—like ants farming aphids, not lions hunting. Defenders: rotate beyond years. Enforce passphrases with entropy, not digits.
DDoS tie-in? Blurs lines. That 147 IP wasn’t password-hunting; it was probing for pwnage post-breach. Commands masquerading as creds: “100000” packets, IP fragments. Honeypots caught it because they log everything.
Frequency charts? Lower digits everywhere—“0-3” crush it. Why? Keyboard flow, kid stuff, muscle memory. Bots amplify our flaws.
And those wild future years—2035 in May ‘24? Some script kiddie blasting combos, or targeted birthday attacks from Asia IPs.
So, wonder hits: what if honeypots fed back into AI trainers? Attackers simulate defense; we simulate attack. Platform shift incoming—AI vs. AI in credential wars.
Energy here? Absolutely. This data’s a crystal ball. Bots dreaming 2027 while we’re stuck in 2025.
🧬 Related Insights
- Read more: Vendor Blind Spots: The Third-Party Risks Quietly Torpedoing Client Security
- Read more: Apple’s Rare Lifeline to Old iPhones: Dodging DarkSword’s Web Traps
Frequently Asked Questions
What are honeypots and how do they catch password attempts?
Honeypots are decoy systems that log attacker probes without risk—perfect for tallying dumb guesses like “123” or “2027”.
When do future years like 2027 first appear in honeypot passwords?
“2027” showed up August 11, 2024—months early, from bots ahead of the curve.
Are bots using AI to guess passwords with numbers yet?
Not much—still predictable lists, but patterns hint at smarter updates soon.
