Is Your Password among the 20 Most Popular (and Hackable)?
by James Maguire
Having spoken with many security experts over the years, I've been amazed by tales of security carelessness. One common practice among the cubicle class: writing their password on little sticky notes pasted to their monitor.
But that's downright encrypted compared with the passwords people create. Researchers from Imperva analyzed 32 million hacked passwords from the recent breach at RockYou.com. They found the most common password is -- drum roll, please -- "123456".
Wow, seriously? That's as original as you can get? Just type the first six numbers in succession?
But guess what? Even that shows more effort than the No. 2 most popular password: "12345". I guess adding the "6" was too much effort.
At No. 3 were a group of users who were far more industrious, if no less careful: "123456789".
For your reading amusement, here are the rest of the Top 20 Most Popular Passwords -- not a popularity list you want to be on:
4) Password
5) iloveyou [I appreciate these folks. They clearly believe in the power of love. But I'm worried about their family savings accounts.]
6) princess
7) rockyou
8) 1234567
9) 12345679
10) abc123
11) Nicole
12) Daniel
13) babygirl
14) monkey [My personal favorite highly hackable password. I mean, really, monkey?]
15) Jessica
16) Lovely
17) michael
18) Ashley
19) 654321 [Tricky, huh? It's the numbers...backwards! No one will ever figure that out!]
20) Qwerty
Two factors are heading toward each other, like freight trains charging toward an explosive crash: 1) The password cracking software used by hackers is getting ever more sophisticated, and 2) Users keep creating weak passwords, year after year. The Impreva findings cited two studies ten years apart that showed no improvement in passwords.
This mix of automated software and poor passwords means that "In just 110 attempts, a hacker will typically gain access to one new account in every second or a mere 17 minutes to break into 1,000 accounts," Impreva states. A sobering thought.
In fairness, it's a hassle to create a truly strong password. It should be at least 7 characters long, contain no complete dictionary words (or your name or pet name) and contain a mix of upper and lowercase, numerals and symbols. For instance:
A*t34eO4>u
But who can remember that? I'd rather just use "monkey".
James Maguire is senior managing editor of Internet.com's IT Management channel.
del.icio.us
Digg it
Furl
Google
StumbleUpon0 TrackBacks
Listed below are links to blogs that reference this entry: Is Your Password among the 20 Most Popular (and Hackable)? .
TrackBack URL for this entry: https://swarm.internet.com/mt-tb.cgi/9556
9 Comments
Leave a comment
Calendar
Search Datamation Blog
The Network for Technology Professionals
Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers
Just go halfway between A*t34eO4>u and monkey:
mon34key
just stick a number in the middle of a word. Better yet, stick a number in between 2 words that don't go together:
stink56Duck
much easier to remember than A*t34eO4>u, and more secure than monkey.
Exactly. It's very easy to bring a password up to par. Not so easy to remember it. Corporate enviroments try to get around this be mandating changes every so often, but ultimatley people's memories get in the way and once again you select one of any number of easy to remember words or phrases.
It's also worth noting that in a survey done in Waterloo station (UK), most people would hand over any corporate security credentials needed to login for a chocolate bar.
We need something better, more secure but more human friendly than simply making strings of gibberish.
just pick a word or short phrase, make some character uppercase and add a number at the end:
MOnkey3
I used to help admin a dating website, and password analysis on our database was one of the more interesting aspects. 123456 was the most common password by far, but anybody who used it got their account singled our for further analysis...because it was so simple, there was about an 80% chance that the user was either spamming or trying to advertise 'personal services'. People setting up dozens of accounts a day don't have time for secure passwords.
I doubt it'd skew the statistics dramatically in this case, but I'd bet a decent chunk of the 32 million accounts are fakes.
strings -8 /dev/urandom
and pick a 7bit clean password. job done.
It was funny when I was new working for an administration office in travel. They had 2 serious flaws of this nature.
1) Because accounts had not been created for the new starters, they were told to use their managers details. ( Which had Admin Privledges on a Windows Network ).
But if thats not foolish enough, the network team was smart enough to make it so every month users had to change their passwords.
2) The manager used the month for the password.
January = password01
Feb = password02
March = password03
ect
Most children put their name or the password of the place. I think it's silly.
What's with the traditional passwords "god", "love", "sex" and "secret" (Hackers--1985)?
Rather nice place you've got here. Thanks the author for it. I like such topics and everything that is connected to them. I would like to read a bit more soon.
Best wishes