PC security - Top 20 most common passwords

smartplanet.com / Smart Business / Business Brains

Top 20 most common passwords of all time revealed: ‘123456,’ ‘princess,’ ‘qwerty’
By Joe McKendrick | Jan 21, 2010
http://www.smartplanet.com/business/blog/business-brains/weakest-passwords-of-all-revealed-in-recent-hacking-incident/4519/

Last summer, SmartPlanet colleague John Dodge posted details on the 500 worst passwords of all time.

Now, Imperva has released a list of the 20 most commonly used (and therefore worst) passwords, culled from a hacking incident that took place in December at RockYou.com, a photo-sharing and slideshow site. Reportedly, 32 million usernames and passwords were breached. (RockYou.com issued a statement indicating that it temporarily shut down its platform after the incident, and now employs encryption technology.)

Imperva posted a summary of the passwords, along with advice on how to create stronger passwords.

The most common passwords are as follows. Is yours among them?

1.123456
2.12345
3.123456789
4.Password
5.iloveyou
6.princess
7.rockyou
8.1234567
9.12345678
10.abc123
11.Nicole
12.Daniel
13.babygirl
14.monkey
15.Jessica
16.Lovely
17.michael
18.Ashley
19.654321
20.Qwerty
It’s notable how many people apparently use their first names as passwords. Notice how also, in the case of no. 7, the password is simply the name of the site.

Imperva observes that we have made precious little progress over the past two decades in improving passwords — long considered the Achilles heel of data security:

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks… Ironically, the problem has changed very little over the past twenty years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords. Just ten years ago, hacked Hotmail passwords showed little change. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data.”

The greatest danger, Imperva points out, is that it wouldn’t take long for a hacker to break into a percentage of accounts using the weak passwords with a brute force attack. It’s simply a numbers game:

Citing NASA guidelines, Imperva recommends that all passwords be at least eight characters, and contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.

Of course, context is important as well. For online banking, email accounts, Website administration access, and so forth, the stronger the password, the better. However, there are countless information sites — online journals, analyst firm sites, and so on, that require password access, and fumbling with a unique strong password every time you want to read a white paper is just plain annoying.

Accordingly, Imperva advises users to “choose a strong password for sites you care for the privacy of the information you store.” If you’re concerned about being able to remember the code, here’s a little memory-jogging trick: “Take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m.’”

Imperva recommends that administrators enforce strong password policy, especially if sensitive data is on the line. Another word of advice: “Make sure passwords are not transmitted in clear text. Always use HTTPS on login.” Also password files should be encrypted before being stored in a database.

Also worth consideration: requiring passphrases instead of passwords. “Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.”

---

How to avoid the “500 worst passwords of all time”
By John Dodge | Jul 29, 2009
http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time/

We all have lots of Internet passwords and about half of them are not difficult to guess. Just take a look at the “500 worst passwords of all time.”

A strong password should be two things: easily recalled by its owner and difficult to guess by someone who doesn’t know it. So even non-hackers can guess a few on the worst list.

“123456″ is number one followed by you guessed it, “password.” Some on the list are intriguing. Number 496 is a “mistress” although I don’t know if the owners lean toward kept women or men who wished they had one. Many are profane with a hint of anger and impulsiveness suggesting people don’t want to bother with passwords. Some are plays on words like “letmein.” Number 486 is a seemingly cryptic letter string “abgrtyu” and still made the list.

The list comes from the book “Perfect Password: Selecttion, Protection, Authentication” published in 2005. While the list would appear outdated, it still gets considerable attention because it’s unique.

One out of nine passwords used is on the list and about 50% of passwords are “based on names of a family member, spouse, partner, or a pet,” according to the book’s teaser on Amazon. Just ask Sarah Palin whose email was hacked last September by someone who reset her password using her zipcode, birthdate and where she met her spouse. When asked where she went to high school, the hacker entered “Wasilla High” and was right. Such is the price of celebrity and people knowing a lot about you.

Passwords are a challenge. Like you, I often want quick access to a site and view the password as an obstacle deserving little attention. However, I can proudly say no password I have ever used is on the worst list.

In a recent discussion with fellow bloggers, one said he keeps passwords only in his head. He never writes them down ANYWHERE. I have far too many for that and lack the photographic mind he must have. He also avoids passwords hints such as a boyhood dog or mother’s maiden name given what happened to Palin.

Another swears by password manager Roboform which can be downloaded for $35. I may try this given good reviews and because I don’t feel secure with my current password strategy if you can call it that. I am constantly looking them up and must have about 30 of them. I also have used meebo with some success as a single logon/password to multiple instant messaging accounts. I tried something called a secure login named vidoop, but it was too good: it didn’t let me into anything.

There’s plenty of advice on how to create a good password such as Microsoft’s six-steps to creating “a strong, memorable password. Some of the advice is obvious, but worth repeating.

– Use a mix of symbols, characters and numbers. Use spaces if allowed.

– If you can’t use symbols, double the number of characters.

– Think of a memorable sentence and take the first letter of each word and combine into a password.

– Use a password checker to test its strength.

---