Security firm Imperva, by examining 32 million passwords that were posted to the Internet after a security breach at RockYou.com, has come up with a list of the most common passwords chosen by consumers. The results are not pretty, except for hackers, as the most popular password is 123456.
It was bad enough that RockYou saw fit to store the passwords in clear text, and that they were extracted through a SQL Injection vulnerability. But the choices that end users made for their passwords show that people still have a long way to go in terms of security.
The report (.PDF
), states that the top 20 passwords were:
Password (followed by number of users with the password):
- 123456 (290,731)
- 12345 (79,078)
- 123456789 (76,790)
- Password (61,958)
- iloveyou (51,622)
- princess (35,231)
- rockyou (22,588)
- 1234567 (21,726)
- 12345678 (20,553)
- abc123 (17,542)
- Nicole (17,168)
- Daniel (16,409)
- babygirl (16,094)
- monkey (15,294)
- Jessica (15,162)
- Lovely (14,950)
- michael (14,898)
- Ashley (14,329)
- 654321 (13,984)
- Qwerty (13,856)
Amazing that 13,984 users thought that reversing 123456 to arrive at 654321 was sufficient protection as a password. Twenty per cent of the passwords were common names and slang or easily remembered number combinations.
Some of the key findings of the study:
- About 30% of users chose passwords whose length is equal or below six characters.
- Almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
The reasons for this is obvious: people want something they can remember.
While not studied in this report, many also use the same password over and over and over. Thus if a hacker gets one password, he can break into any of their accounts.
Imperva made the following recommendations:
- The password should be at least eight characters in length.
- It should contain a mix of four different types of characters: upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
- It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.
In addition to all these tips, Microsoft has a password strength tester
. Type your password in here and it will tell you how strong or weak your password is.
For those who may have trouble remembering passwords, there are programs to help with that problem, many of them, in fact. Browsers themselves will store passwords, but there are plenty of standalone programs. One favorite of ours is LastPass
. It's free, and stores your passwords online (and locally), so that you can have them synced to different PCs you use. There are many others, and a simple search on "password" will bring up many of them (Roboform, KeePass, etc., etc.).