If you run an ssh server (especially if you still run it on the default port), you've no doubt had plenty of folks scan your machine and do password guessing attacks against it.  BTW, you'll never get in mine that way, I only allow public/private key authentication, but that is beside the point here.  I've done a couple of other reports analyzing passwords, and I really like pipal by Robin Wood for much of the analysis (you can grab it from here ).  I've been running a kippo ssh honeypot for the day job for about 2 years and I've done a couple of reports on the password guesses for the ThreatTraq webcast, but then I discovered that in addition to firewall logs and the 404 logs, we also collect kippo logs here at the SANS Internet Storm Center.  Ooh, more data!!  If you'd like contribute, please grab https://isc.sans.edu/kipposcript.pl .  So, without further ado, here is what I've found in our kippo data (as of about 15 April 2013).  I should note here, though, that these are the guesses the bad guys are making.  They've developed their lists most likely based on what has worked for someone at some point, so they will be somewhat different from what you find in analyzing passwords from breaches like my analysis of last year's Yahoo breach .