Saturday, January 30, 2010

Is Your Password among the 20 Most Popular (and Hackable)?

Having spoken with many security experts over the years, I've been amazed by tales of security carelessness. One common practice among the cubicle class: writing their password on little sticky notes pasted to their monitor. 

But that's downright encrypted compared with the passwords people create. Researchers from Imperva analyzed 32 million hacked passwords from the recent breach at They found the most common password is -- drum roll, please -- "123456".  

Wow, seriously? That's as original as you can get? Just type the first six numbers in succession? 

But guess what? Even that shows more effort than the No. 2 most popular password: "12345". I guess adding the "6" was too much effort. 

At No. 3 were a group of users who were far more industrious, if no less careful: "123456789". 

For your reading amusement, here are the rest of the Top 20 Most Popular Passwords -- not a popularity list you want to be on: 

4) Password
5) iloveyou [I appreciate these folks. They clearly believe in the power of love. But I'm worried about their family savings accounts.] 
6) princess
7) rockyou
8) 1234567
9) 12345679
10) abc123
11) Nicole
12) Daniel
13) babygirl
14) monkey [My personal favorite highly hackable password. I mean, really, monkey?] 
15) Jessica
16) Lovely
17) michael
18) Ashley
19) 654321 [Tricky, huh? It's the numbers...backwards! No one will ever figure that out!] 
20) Qwerty

Two factors are heading toward each other, like freight trains charging toward an explosive crash: 1) The password cracking software used by hackers is getting ever more sophisticated, and 2) Users keep creating weak passwords, year after year. The Impreva findings cited two studies ten years apart that showed no improvement in passwords.

This mix of automated software and poor passwords means that "In just 110 attempts, a hacker will typically gain access to one new account in every second or a mere 17 minutes to break into 1,000 accounts," Impreva states. A sobering thought. 

In fairness, it's a hassle to create a truly strong password. It should be at least 7 characters long, contain no complete dictionary words (or your name or pet name) and contain a mix of upper and lowercase, numerals and  symbols. For instance: 


But who can remember that? I'd rather just use "monkey".

No comments:

Post a Comment