Computers

The ten worst passwords on the web, and why you really should read this article

The ten worst passwords on the...
View 2 Images
1/2
2/2

You’re not fooling anyone with that “123456” password of yours. “Password” isn’t much better, and sorry ladies, but “princess” is also no good. These are among the findings in a report released by Imperva, a data security firm that analyzed 32 million passwords recently exposed in the Rockyou.com breach. Not only did they identify the most common, and thus easily-guessable passwords, but they also suggested some effective methods for creating secure ones.

Rockyou.com is a website where users can develop apps to use on social networking sites. Last December, a hacker gained access to all of Rockyou’s members’ usernames, email addresses and passwords (which had been stored in plain, unencrypted text) and posted the passwords to the Internet. Given that many people use the same username and password for all of their online dealings, such as banking, the results could have been disastrous. Fortunately, the perpetrator seemed to be mainly interested in exposing Rockyou’s insufficient security, as they didn’t post the usernames or emails.

Imperva analyzed the hacked data, and compiled their findings in the Consumer Password Worst Practices report. Of the 32 million passwords involved, the ten most common were:

  • 123456
  • 12345
  • 123456789
  • Password
  • iloveyou
  • princess
  • rockyou
  • 1234567
  • 12345678
  • abc123

It was found that almost half of the members used names, slang words, proper words, or trivial passwords such as consecutive digits, or adjacent keys on the keyboard.
So, what sort of password SHOULD people be using?

Imperva made the following recommendations:

  • It should contain at least eight characters (30% of users had passwords that were six letters or less)
  • It should contain a mix of four different types of characters (i.e: upper case, lower case, numbers, symbols)
  • It should not be a name, word, or contain any part of your name or email address

The report also suggests using a different password for every website, not sharing your passwords with third parties, and using the first letters of each word in a sentence as your password (For instance, “this little piggy went to market” would be “tlpWENT2m”).
“The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism,” said Imperva CTO Amichai Shulman. “Never before has there been such a high volume of real-world passwords to examine.”

21 comments
bramachari
My system for making a excellent and unforgettable password. They say you shouldn\'t write down your password, but you can write down a clue to your password. I have a list of password clues in my wallet that no one could crack. Here\'s my system to make a new password with an easy clue I can keep written down. In light of recent events, I think Jay Leno is an asshole. My new password is: assholeleno2010. My clue is \"Tonight Show\" because that\'s all I need to remind me of the password. I might have the clue \"capita\" for the password \"fellatio.\" Get it? it works.
agilecr
A long random combination of letters and numbers, mixed case, and other characters such as punctuation makes a very strong password. A random sequence of words found in the dictionary can often be cracked fairly quickly. To remember my random passwords, I use a free encryption service, www.nolost.info.
Gadgeteer
At work, each PC on the network has a password assigned by the boss, usually a simple word associated with products or company history. If you know anything about the company, you can probably guess at least some of the passwords. But we\'re not allowed to change the passwords. How\'s that for security? I have over 30 email accounts, 5 FTP accounts and untold forum and e-tailer accounts. None of them have the same password and none of my passwords are real words, thus not vulnerable to dictionary attacks. They may be only \"moderately\" strong by Imperva standards, but I still doubt anyone will guess them.
nehopsa
I wish I had a better system for generating passwords. After a time you do not have a clue what a password for a particular group/newspaper/forum was...or better still that you already registered. I know.... indecent exposure on my part here but hey, if you registered once in lifetime for a particular obscure article that you could not finish reading unless you became a \"free subscriber\" to even more obscure blog/periodical...this is the issue in my view. I am really annoyed that I need to register only to finish reading a thing and similar. Mnemonics (suggested above) are tricky and you can confuse them more than easily if \"Tonight Show\" happened some eight months ago. I better not expand on what wild associations I can have with the latter one. Good password I have. Perhaps too strong an expression but not as strong as a password though...
Giuseppe Picciuca
A friend of mine has to thank this kind of behaviour \'cause he could \"stole\" the internet connection of a neighbour. in this case the password was the name of the girlfriend.
Ammar Yameen
Thats remind me of Twitter\'s password, when one employee used the same password for her Gmail. Thanks
CeridianMN
I read about a method that sounded pretty good once, but haven\'t tried it as of yet. You memorize a short string, such as \"f9$\" or something. You then memorize a number, like \"3\". From then on all the passwords you need you write down a string for them and keep it findable, or make them something you can associate with the location very easily. An example might be \"coolstuff\" for thinkgeek or \"technews\" for Gizmag. Also a complex written string, such as \"Odw0^l!1d\" written on a post-it note taped to the monitor for your login. The final step is that the real password either inserts or replaces the written/super easy string with the one memorized starting at the location number memorized. so \"coolstuff\" becomes either \"cof9$tuff\" or \"cof9$olstuff\" depending on your method and alloted space. With this method you could have a notebook filled with passwords that didn\'t work, without your \"private key.\"
Michael Mantion
just put 2 or 3 words together cap the first letter DuckHelpWall. very hard to crack Obviously numbers, symbols help but still. Obviosly you can make all \"o\" 0 and \"e\" 3 instead of \"i\" use \"!\". If your passwords are so complex that you need to write them down, then you screwed up.
dsloan48
easy way . . use a keyscrambler
RpD
@CeridianMN I have posted my own formula a couple times... similar to what you describe. Pick a favorite, but personal, \'key\' and combine it with something obvious at each site you visit... the passwords will be all different/unique, and somewhat rememberable for each site. For example... Make up your own short \'key\' (onetime), something meaningful to you that you can remember... composed of caps, lowercase, number and special character if you want... ....maybe initials or first letters of your favorite phrase, with a favorite number... and, well, pick a favorite \'special character\', like ! or @ or & , etc... (onetime). Then you\'ll have a personal key, for example: JSxxx4! ...then, for every site you need a password, pick the most obvious thing that springs to mind, like \'ford\' for Ford.com, or \'chevy\' for Chevrolet.com, and... ...combine them at those websites for a password there. Such as... JSxxx4!ford at ford.com, and JSxxx4!chevy at chevrolet.com... ...that way you have a key you can remember and a different password for every website, that you should be able to guess, and not have to write down. Just don\'t always use the site name to combine with... words that spring to mind are good. For CNN.com.... JSxxx4!news For DowJonesNews.com... JSxxx4!djn Etc. Just never give out, or write down your key... remember it only, it\'s only one \'word\'. By the way, if your password is simply any word in the dictionary, or even any \'mangled\' word like d1n0saur, or se7en ...it\'s EASILY crackable with software designed for that purpose. Don\'t use \'readable\' mangled words... the crackers have programmed lists of those... or ways to generate them. Computers do character substitutions -really- fast. One caveat to my formula is that some websites only allow alphanumeric passwords, just letters and numbers. Some demand special characters, etc. So you\'ll occasionally need to be ready with some alternative to your \'key\'... ...like dropping the ! from JSxxx4! to get just JSxxx for those sites that want only letters and numbers. JSxxx(websiteword) You can still use one of the encrypting password programs to store a list of them too... and there\'s usually a \"Forgot password\" link on most websites, anyway. What can be harder... is remembering your username! Sometimes it\'s email address, sometimes not... and sometimes someone else already has your choice for username. So the smart websites will send your username along with password, when you click \"Forgot password\"... or they -may- have a \"Forgot username\" link as well.