123456 The Key To Password Hacking

123456 The Key To Password Hacking

Security firm Imperva, by examining 32 million passwords that were posted to the Internet after a security breach at RockYou.com, has come up with a list of the most common passwords chosen by consumers. The results are not pretty, except for hackers, as the most popular password is 123456.

It was bad enough that RockYou saw fit to store the passwords in clear text, and that they were extracted through a SQL Injection vulnerability. But the choices that end users made for their passwords show that people still have a long way to go in terms of security.  


Image Credit, Flickr User See-ming Lee

The report (.PDF), states that the top 20 passwords were:

Password (followed by number of users with the password):
  1. 123456 (290,731)
  2. 12345 (79,078)
  3. 123456789 (76,790)
  4. Password (61,958)
  5. iloveyou (51,622)
  6. princess (35,231)
  7. rockyou (22,588)
  8. 1234567 (21,726)
  9. 12345678 (20,553)
  10. abc123 (17,542)
  11. Nicole (17,168)
  12. Daniel (16,409)
  13. babygirl (16,094)
  14. monkey (15,294)
  15. Jessica (15,162)
  16. Lovely (14,950)
  17. michael (14,898)
  18. Ashley (14,329)
  19. 654321 (13,984)
  20. Qwerty (13,856)

Amazing that 13,984 users thought that reversing 123456 to arrive at 654321 was sufficient protection as a password. Twenty per cent of the passwords were common names and slang or easily remembered number combinations.

Some of the key findings of the study:
  • About 30% of users chose passwords whose length is equal or below six characters.
  • Almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
The reasons for this is obvious: people want something they can remember.

While not studied in this report, many also use the same password over and over and over.  Thus if a hacker gets one password, he can break into any of their accounts.

Imperva made the following recommendations:
  • The password should be at least eight characters in length.
  • It should contain a mix of four different types of characters: upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
  • It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.
In addition to all these tips, Microsoft has a password strength tester. Type your password in here and it will tell you how strong or weak your password is.

For those who may have trouble remembering passwords, there are programs to help with that problem, many of them, in fact.  Browsers themselves will store passwords, but there are plenty of standalone programs. One favorite of ours is LastPass. It's free, and stores your passwords online (and locally), so that you can have them synced to different PCs you use. There are many others, and a simple search on "password" will bring up many of them (Roboform, KeePass, etc., etc.).
0
+ -

The programmers who thought that storing passwords in plaintext should be fired. Seriously. Anyone worth their salt (no pun intended) knows that doing that is a horrible, horrible idea.

0
+ -

/agree. Why weren't they using one-way hashes?

0
+ -

where is the pun,,,,, i dont get it

0
+ -

Remember this list doesn't Social Security numbers, phone numbers, addresses or birthdates.

Also it's usually a bad idea to keep the same password for all your accounts, but most people still do.

0
+ -

Hey I wonder about that SS# thing how long would it take a determined hacker to get one 10 minutes it is straight numbers and they have a layout scheme which is know.

0
+ -

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!

0
+ -

LOL... Soup - Spaceballs!

Last night I had my brother in-law send me a Remote Assistance invitation so that I could remove what turned out to be the Koobface virus on his wife's computer. Before even seeing this, I told him to make the password "123456" - just because I knew there would be no typos and it had to be 6 chars long.

It's surprising that 22,588 people thought "rockyou" was a good password for rockyou.com. I guess I now know which password to try if hacking random Facebook accounts.

0
+ -

What about "hothardware" for your hothardware.com login? It's so obvious no one will suspect it!

0
+ -

i have use couple of those password before :)

0
+ -

that M$ pawword strength tester is BS the highest it goes is medium it seem I typed a 28 charachter random sequence in it and it is the same strength as my personal passwords (all 5 of them) which is medium nothing got higher than that. I will have to try one of my random's with caps but doubt it goes any higher.

0
+ -

I got best. I think it wants you to use Caps, lowercase, numbers and symbols for the ultimate password. I used three variations on your s/n to achieve unhackable password supremacy "rapiD1raP!dIR@p*)i"

The best way to get someone's SS# is to call them up and pretend to be their health insurance company or something similar. You could also go through their mail and hopefully get at least the last 4 digits of their SS#. And I'm guessing a substantial minority use the last 4 digits of their SS# and their ATM pin.

0
+ -

Yes for best password strengths, you want to use some of every character available to you. That being said some sites and programs that don't let you use symbols and others.

0
+ -

My two passwords are an expression of my smart-ass nature. An inside personal joke. So stupid as to be brilliant. I think,...............

0
+ -

By the way, you can get into 95% of routers out there with account=admin password=admin. Just thought I'd share that.

0
+ -

ClemSnide:

By the way, you can get into 95% of routers out there with account=admin password=admin. Just thought I'd share that.

Reminds me of 2 of my favorite sites. http://www.routerpasswords.com/  &  http://cirt.net/passwords

0
+ -

Just wondering if anyone knows how to retrieve a password for Turbo Tax. I seemed to have password protected my tax file for last year with all of the itemizations on it and don't want to spend weeks redoing it.

0
+ -

lol wow those are some good passwords. Although i use the same 2-3 passwords for all my accounts i try to make them long but easy to remember for myself :)

Login or Register to Comment
Post a Comment
Username:   Password: