123456 The Key To Password Hacking
It was bad enough that RockYou saw fit to store the passwords in clear text, and that they were extracted through a SQL Injection vulnerability. But the choices that end users made for their passwords show that people still have a long way to go in terms of security.
The report (.PDF), states that the top 20 passwords were:
Password (followed by number of users with the password):
- 123456 (290,731)
- 12345 (79,078)
- 123456789 (76,790)
- Password (61,958)
- iloveyou (51,622)
- princess (35,231)
- rockyou (22,588)
- 1234567 (21,726)
- 12345678 (20,553)
- abc123 (17,542)
- Nicole (17,168)
- Daniel (16,409)
- babygirl (16,094)
- monkey (15,294)
- Jessica (15,162)
- Lovely (14,950)
- michael (14,898)
- Ashley (14,329)
- 654321 (13,984)
- Qwerty (13,856)
Some of the key findings of the study:
- About 30% of users chose passwords whose length is equal or below six characters.
- Almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
While not studied in this report, many also use the same password over and over and over. Thus if a hacker gets one password, he can break into any of their accounts.
Imperva made the following recommendations:
- The password should be at least eight characters in length.
- It should contain a mix of four different types of characters: upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
- It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.
For those who may have trouble remembering passwords, there are programs to help with that problem, many of them, in fact. Browsers themselves will store passwords, but there are plenty of standalone programs. One favorite of ours is LastPass. It's free, and stores your passwords online (and locally), so that you can have them synced to different PCs you use. There are many others, and a simple search on "password" will bring up many of them (Roboform, KeePass, etc., etc.).