And the most popular password is...

And the most popular password is...

Summary: Analysis based on 32 million passwords from last month's RockYou.com server breach, shows that millions of people continue using weak passwords.

SHARE:
TOPICS: Security
113

It is "123456," based on the analysis of 32 million breached passwords, obtained from last month's RockYou.com server breach, from which researchers from Imperva were able to analyze the insecure practices used by millions of users when choosing their passwords.

What did their analysis conclude? Short passwords, lack of lower-capital-numeric characters mix, and trivial dictionary words, which every decent brute forcing/password recovery application can find out in a matter of minutes.

Key findings include:

  • In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
  • About 30% of users chose passwords whose length is equal or below six characters
  • Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”

The rest of the passwords rated by popularity:

It's important to point out that, the same password “123456” also topped a similar chart based on statistical analysis of 10,000 Hotmail passwords published in October, 2009.

What actions on behalf of RockYou could have prevented this systematic practice of allowing end users to register with weak passwords?

Enforcing the use of stronger passwords as a long-term strategy, or borrowing short-term tricks from Twitter's, such as the "banned passwords" list consisting of 370 passwords that are not allowed to be used during the registration process. And “123456” is at the top of the list.

For starters, the 32 million passwords were stored in an unencrypted format, according to RockYou.com's announcement, and even if they weren't, the fact that the users were allowed to register with such weak passwords, makes it possible for someone to brute force them in a very short period of time once they gain access to the database.

Consider going through the recommendations offered in the analysis, but keep in mind that strong passwords as just as weak as weak passwords in general if you're logging in from a malware-infected computer.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

113 comments
Log in or register to join the discussion
  • Epic Fail

    Admins need to better monitor passwords. Users who pick something like this need reprimanded or re-trained.
    The one and only, Cylon Centurion
    • That's Amazing!!!

      "I've got the same combination on my luggage!!!"


      President Skroob - <i>Spaceballs, The Movie</i>


      :)

      JLHenry
      • LOL, classic! (NT)

        $
        Loverock Davidson
      • that's !

        Excacly what I tougth when I saw it...


        and followed by Dark Helmet's first reply about this password:

        "123456! that's a password idiots uses to protect their luggage!".
        Ceridan
        • I liked . . .

          the look they gave him when he said that about his luggage . . . :)
          JLHenry
    • No.

      Problem 1)
      Complete waste of resources; much better to let natural selection run its course.

      Problem 2)
      The passwords shouldn't be being stored in plain text where the admin (or attackers) can view them. That is a horrible design flaw. They should be stored as salted hashes.
      AzuMao
      • Totally agree

        Passwords should NEVER be stored in a
        retrievable format. Should always be salted
        with something (persistent) from the users
        account and something app specific.

        Admins MUST NEVER be allowed to retrieve users
        passwords.

        Even draconian lameness filters will be
        circumvented. I bet those who came up with
        654321 though they were being really smart. A
        seemingly strong password like 1qaz@WSX may
        pass a lameness filter. But look at your
        keyboard and how those letters are arranged.
        Crackers know this.

        The core of this problem is passwords
        themselves. We need a better two-factor system
        (something you know and something you have) and
        we need federated and anonymized access.
        honeymonster
        • ssh (disable passwords) use keys

          with pass-phrase and be done with servers.

          Change the port from 22 to another high
          level port number.

          People go away once they find out you know
          how to secure systems.

          Also, when you use secure email server
          software other than MS, you enforce strict
          passwords and force them to expire and
          not be re-used.
          Use_More_OIL_NOW
          • If you run your own mail server, and do so only for your own use, sure.

            But how can anyone else use it if they don't know what port you're running it on? If all mail servers did this nobody would
            be able to use email.
            AzuMao
          • It might work at LANL, but not most places.

            Most businesses wont support the added confusion and there are downsides in addition to that as well, see some of the comments below.
            bernalillo
          • Other than MS?

            AD and Exchange have very good tools to enforce strict password selection. I know because users complain how hard it is to pick a password.
            A.Sinic
        • Make passwords simpler

          Best thing is allow simple passwords with an extremely short lock out time. So you could have a Password of Cat and 3 attempts. Sure it's easy to crack if you have unlimited attempts but if the account locks after you try 3 times the chances or you guessing Cat the first 3 times in near impossible. Users with a a password as simple as Cat wouldn't for get, would be unlikely to mistype it and would not trigger the 3 attempt lock out. If you see accounts getting locked out all the time you have sure fire alert that something it going on that shouldn't be.

          Take on a token, and finger print to this short password and it's even better.
          voska1
      • Natural selection is for [i]nature[/i]

        You can't let "natural selection" take its course when you're running a business. Yes, the users in question might be idiots, but guess whose neck is on the line if their accounts get hacked? Part of the reason that admins need to care about this is because if they don't have the proper password policies in place, [i]they'll[/i] get blamed when their systems are hacked. (There's a certain amount of justice to this, since it [i]is[/i] the admins' systems.)
        bhartman36
        • That would be like..

          ..blaming Ford if my car got stolen because they
          didn't force me to lock the door, or if I got into
          an accident because they didn't force me to obey
          the speed limit. Absolutely ridiculous.
          AzuMao
          • Not a great analogy on your part.

            The question is, how good is the lock?

            Remember: These people [i]did[/i] lock the door, so to speak. It's not like they don't have passwords. What happens here is more akin to jimmying open a car door with a slim jim (lockout tool), or, more crudely, breaking the window to get to the lock. It's not reasonable to blame users if they're going by your password requirements. But it [i]is[/i] reasonable to be blamed by users if the specs you set for passwords don't keep them secure. It'd certainly be [i]nice[/i] if users knew more about security, but it's hardly reasonable to expect them to know more than the admins who set the password requirements.
            bhartman36
          • My analogy was right..

            ..yours is the one that is messed up! The car
            makers are responsible for how strong the lock
            is. Lock strength would be equivalent to how
            hard it is for someone to hack into your account
            (not trick you into letting them have it).

            Choosing a retarded password that anyone can
            guess is the same as not locking it at all, or
            locking it with a key that everybody has. Not
            the maker's fault.
            AzuMao
          • You're ignoring one critical aspect.

            [i]Choosing a retarded password that anyone can
            guess is the same as not locking it at all, or
            locking it with a key that everybody has. Not
            the maker's fault.[/i]

            It's the maker's fault if they can [i]limit[/i] what kind of keys the user can use.

            If you're capable of preventing a user from using a "retarded password", and you [i]don't[/i] prevent them from using it, then that's mostly on you, because you, as the admin, should've [i]known[/i] better. To most end users, a "brute force attack" is getting mugged, not something to do with computers.
            bhartman36
          • Which is the same as saying that..

            ..Ford or Toyota could have [i]limited[/i] (read:
            removed) the users ability to disobey the speed
            limit, or start the car without a seatbelt on, or
            leave their car without locking it, in order to
            prevent accidents/injuries/thefts, and that they
            are responsible for these problems since they
            didn't prevent them.
            AzuMao
          • Not quite.

            [i]Ford or Toyota could have limited (read:
            removed) the users ability to disobey the speed
            limit, or start the car without a seatbelt on, or leave their car without locking it, in order to prevent accidents/injuries/thefts, and that they are responsible for these problems since they didn't prevent them.[/i]

            Again, your analogy doesn't accurately reflect what's going on. If the users kept their passwords to the default one that was on it when it was set up, [i]then[/i] it would be analogous to not wearing their seat belts, or not locking their cars, etc. These people [i]chose[/i] passwords. They just chose crappy ones, because as end users, they didn't [i]know[/i] any better, and no one set decent guidelines. You're basically confusing recklessness (which it would be if they should've known better) with plain old ignorance.

            If you don't give people guidelines for what their passwords should be like, they'll pick bad ones, because they aren't security savvy. It's not their [i]job[/i] to be. It's the admin's job to safeguard the server.

            And what's worse is that it's a total abdication of the admin's responsibility to the [i]other[/i] users, whose security could be compromised by the breach.
            bhartman36
          • "If the users kept their passwords to the default one that was on it"?

            Huh?

            To register, you must choose an account name, password, and email.
            There is no "default" one to leave it on. You choose a username that
            you will be known by, and a password that can be used to prove that
            username is yours. Obviously if you give that password to someone
            else, or make it easy for someone else to obtain it, they will be
            able to use that username. This isn't a problem with the current
            system. It isn't a problem at all. It is simply the design.

            There is no "guideline" to give. The password provides access to the
            account; so if you give it away or make it easy to guess, then it is
            directly inferred that other people will have access to your
            account. What more is there for an admin to say on the matter?

            Obviously the user isn't [i]trying[/i] to let strangers use their
            account, just like someone driving over the speed limit isn't
            [i]trying[/i] to kill people, someone in such a hurry (say, getting
            someone who is having a stroke to the hospital) that they don't
            bother buckling up/putting on a seatbelt/helmet isn't [i]trying[/i]
            to kill themselves, someone who leaves their car unlocked isn't
            [i]trying[/i] to let strangers use it, etc. But just because the
            users don't intend it, doesn't make it any less [i]their[/i]
            responsibiltiy.
            AzuMao