After analyzing the data, researchers at Imperva Application Defense Center determined that 290,731 individuals used ‘123456' as their password. The second most common password, used by 79,078 individuals was ‘12345,' and the third most popular password, used by more than 76,790 individuals, was ‘123456789.'
“It was surprising,” Amichai Shulman, CTO at Imperva, told SCMagazineUS.com on Friday. “We expected to see weak passwords, but we did not expect the magnitude of this.”
The passwords were obtained in December by a hacker with the alias 'igigi,' who was able to break into the database of RockYou, a provider of applications and services for social networking sites, through an SQL injection vulnerability. The hacker obtained the RockYou credentials of all users, totaling more than 32.6 million, then posted them online with no other identifiable information.
“Never before has there been such a high volume of real-world passwords to examine,” according to Imperva's report, which details the password analysis, released Thursday.
The hacker was able to steal the information because users' email addresses and passwords were stored in clear text, meaning they were not rendered unreadable through encryption or any other methods.
Imperva's analysis revealed that the fourth most popular password was ‘password,' which was used by 61,958 individuals. Coming in fifth was the phrase ‘iloveyou,' used by 51,622 individuals.
The sixth most commonly used password was 'princess,' followed by ‘rockyou,' ‘1234567,' ‘12345678,' and ‘abc123.' The top 11 through 20 common passwords were: ‘Nicole,' ‘Daniel,' ‘babygirl,' ‘monkey,' ‘Jessica,' ‘Lovely,' ‘michael,' ‘Ashley,' ‘654321' and ‘Qwerty.'
Nearly half of all users selected names, slang words, dictionary words or consecutive digits for their password, according to Imperva's report. In addition, 30 percent of users selected a password that was six characters or less.
“It shows that if you let users choose the password at their convenience, they are not going to choose well,” Shulman said.
The shortness and simplicity of passwords that many users chose make them susceptible to brute force password attacks, the report states.“What we see from the RockYou analysis is that I could take a very small set of dictionary words and then try them across all users and still compromise a lot of accounts,” Shulman said. “If I take one password – '123456' – and run it across a whole user population, I end up with nearly 300,000 accounts compromised.”
Because users often choose weak passwords, enterprises should enforce a strong password policy, Shulman recommended.
“Making the users choose stronger passwords has a dramatic effect on the ability of attackers to break into accounts without prior knowledge,” he said.
In addition, enterprises should encourage longer passphrases, or sequence of words, instead of passwords.