The folks at Imperva have released a report examining the 32 million passwords that were exposed in a breach of the RockYou website last year.
What they discovered (and it matches the findings of other studies conducted in the past) is that human beings are very bad at choosing hard-to-guess passwords.
Here are the top 20 passwords that RockYou users had chosen:
Let me say this loud and clear: choosing an easy-to-guess password is reckless. Thinking that no-one else will have thought of a password like “123456” is insane. Choosing a dictionary word like “Password” to protect your account is about as good an idea as using blancmange to build a brick wall.
It’s important not to choose common passwords like “iloveyou” or “Qwerty” as hackers can easily check these first. For instance, the infamous Conficker worm uses a built-in list of 200 common passwords to try and gain access to computers.
And, man oh man, how bonkers is it to use a password like “rockyou” – the name of the website you are logging into!?? What’s the betting that those users also use “ebay” as their eBay password, “hotmail” as their Hotmail password and “bank” as their banking password?
So, make 2010 the year when you finally choose sensible passwords. That means passwords that aren’t dictionary words, aren’t predictable sequences of numbers or rows of keys on your keyboard. And ensure that you aren’t using the same password on every website you use (our research shows that 33% of people do precisely that – meaning that if you get hacked in one place, every website account you own is potentially open to the hackers).
It’s easy to understand why computer users pick dictionary words as they’re much easier to remember, but as I explain in this video there are ways to make a complicated password really simple to remember:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
* Image source: canonsnapper’s Flickr photostream (Creative Commons)