And the most popular password is...

Summary:Analysis based on 32 million passwords from last month's RockYou.com server breach, shows that millions of people continue using weak passwords.

It is "123456," based on the analysis of 32 million breached passwords, obtained from last month's RockYou.com server breach, from which researchers from Imperva were able to analyze the insecure practices used by millions of users when choosing their passwords.

What did their analysis conclude? Short passwords, lack of lower-capital-numeric characters mix, and trivial dictionary words, which every decent brute forcing/password recovery application can find out in a matter of minutes.

Key findings include:

  • In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
  • About 30% of users chose passwords whose length is equal or below six characters
  • Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”

The rest of the passwords rated by popularity:

It's important to point out that, the same password “123456” also topped a similar chart based on statistical analysis of 10,000 Hotmail passwords published in October, 2009.

What actions on behalf of RockYou could have prevented this systematic practice of allowing end users to register with weak passwords?

Enforcing the use of stronger passwords as a long-term strategy, or borrowing short-term tricks from Twitter's, such as the "banned passwords" list consisting of 370 passwords that are not allowed to be used during the registration process. And “123456” is at the top of the list.

For starters, the 32 million passwords were stored in an unencrypted format, according to RockYou.com's announcement, and even if they weren't, the fact that the users were allowed to register with such weak passwords, makes it possible for someone to brute force them in a very short period of time once they gain access to the database.

Consider going through the recommendations offered in the analysis, but keep in mind that strong passwords as just as weak as weak passwords in general if you're logging in from a malware-infected computer.

Topics: Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.