If you are using “123456” as your password it is past time to stop. Same if you are using the always popular “Password” to protect your account. Those easy-to-hack passwords were the top and fourth most-popular from among 32 million hacked from RockYou.com, a new study finds.
Imperva studied the breached passwords and has published an interesting study that talks about them. While “Consumer Password Worst Practices” isn’t about us supposedly savvy business users, as an occasional system administrator I’ve run into both 123456 and Password on many occasions.
Here are the top passwords Imperva found among those compromised in the attack (they were posted online, without identifying details, for the world to see–and analyze):
1. 123456 2. 12345 3. 123456789 4. Password 5. iloveyou 6. princess 7. rockyou 8. 1234567 9. 12345678 10. abc123
If any of those look too familiar, please stop reading this story and change your password now. All these passwords are easy to crack using simple brute-force automated methods. And with the list now published, they are likely to move to the top of everyone’s list of those to try first when attempting to crack an account manually.
“To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts,” Imperva said in its report.
Among its key findings:
- About 30 percent of users chose passwords whose length is equal or below six characters.
- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
If it makes you feel any better, a similar study of hacked Hotmail passwords from 20 years ago found much the same thing.
Imperva provides a list of password best practices, created by NASA to help its users protect their rocket science, they include:
- It should contain at least eight characters
- It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.
- It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.
Following that advice, of course, means you’ll create a password that will be impossible, unless you try a trick credited to security guru Bruce Schneir: Turn a sentence into a password.
For example, “Now I lay me down to sleep” might become nilmDOWN2s, a 10-character password that won’t be found in any dictionary.
Can’t remember that password? Schneir says it’s OK to write it down and put it in your wallet, or better yet keep a hint in your wallet. Just don’t also include a list of the sites and services that password works with. Try to use a different password on every service, but if you can’t do that, at least develop a set of passwords that you use at different sites.
Someday, we will use authentication schemes, perhaps biometrics, that don’t require so much jumping through hoops to protect our data. But, in the meantime, passwords are all most of us have, so they ought to be strong enough to do the job.
And don’t even try 654321 or Qwerty–19th and 20th on Imperva’s list– OK?
(Here’s a story we did in early 2009 on how to protect your passwords and another with tips on creating strong passwords).
David Coursey has been writing about technology products and companies for more than 25 years. He tweets as @techinciter and may be contacted via his Web site.