Password popularity list reveals weakest links

Use the computer system log-on password ‘123456’, and you are most likely to be caught with your pants down by cyber-criminals, a report has revealed.

123456 is now the most popular password, according to a study by security firm Imperva of user log-on details swiped in last month’s data breach.

The data security specialist analysed the 32m password exposed when social networking applications website was hit by an SQL injection flaw in its database on 12-13 December (2009). Imperva’s Application Defense Center (ADC) has revealed the passwords’ recurrence characteristics in a report – ‘Consumer Password Worst Practices’ – published to advise consumers and website administrators on the passwords they should avoid/reject when using social networking or e-commerce sites.

The top ten password no-nos are:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. Iloveyou
  6. Princess
  7. Rockyou
  8. 1234567
  9. 12345678
  10. abc123

“This data provides a rare glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism,” reckons Imperva CTO Amichai Shulman. “Never before has there been such a high volume of real-world passwords to examine.”

For enterprises, password insecurity can have serious knock-on consequences, adds Shulman: “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’.”

The study’s key findings suggest that:

  • Nearly 50 per cent of users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, and so on) – one of the reasons why ‘123456’ the most common password.
  • Recommendations needed for for users and administrators for choosing strong passwords.
  • Shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks - known as ‘brute force attacks’.

More information:

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them