When RockYou.com’s servers were breached last month, 32 million passwords were stolen and posted on the Internet. RockYou committed a grave error by storing them in clear text instead of encrypting them. Security researchers at Imperva analyzed the findings and came up with some interesting findings, among them that the most popular password is “123456”, followed by, you guessed it, “12345”,“123456789”, and “password”. Here are some other findings from the study:
In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
About 30% of users chose passwords whose length is equal or below six characters
Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on
What does this mean? Well first and foremost people need to be a lot smarter about choosing passwords. Hackers have software than can crack a numerical password in seconds, which is why you should NEVER and I mean NEVER have a password made up of consecutive numbers. Passwords like “password” are very unsafe as well. When wireless networking first became popular, most people unknowingly left their computers wide open to hackers because they kept the default username and password that came with their routers. The username is usually the brand of the router or “admin” and the password “password”. It’s extremely important to change this information when setting up a new router and to also enable WPA security (WEP is not as secure).
Never use an easily guessable password such as “QWERTY” or your name. The most secure passwords are a mix of letters and numbers and at least 7 characters long. Most importantly, never use the same password for every site you’re on, because if a hacker gets it he gets everything. Vary your passwords.
How can users’ safety be further insured? Well for starters RockYou.com and any other site guilty of the same can stop users from choosing weak passwords. Twitter has a blacklist of passwords it won’t allow that includes “12345”, “QWERTY”, and “password” and all sites should be doing the same.
Hackers and spammers are getting more and more sophisticated so our passwords and other protections need to follow suit.