The password database used in the project came from a hacker attack against a San Mateo, California, developer of social media widgets. In December, a major password breach occurred at RockYou, and the hacker posted the full list of 32 million passwords to the Internet (with no other identifiable information).
Imperva listed the 20 most common passwords (see next page). The company said almost half of the passwords it studied were names, slang words, dictionary words, or what it terms “trivial passwords,” such as consecutive digits and adjacent keyboard keys. Two passwords in the top five were the word “password” and the phrase “iloveyou.”
By relying on a short and simple password, Imperva warned, users become susceptible to basic forms of cyber warfare known as “brute force attacks.”
“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: With only minimal effort, a hacker can gain access to one new account every second or 1,000 accounts every 17 minutes,” said Imperva’s CTO Amichai Shulman, in a news release. “The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine.”
To keep hackers at bay, the company recommends passwords that are at least eight characters long and contain four different character types—upper case letters, lower case letters, numbers, and special characters (such as !, $, etc.).
Shulman warned: “It’s time for everyone to take password security seriously; it’s an important first step in data security.”
Top 20 Most Common Passwords
Source: Imperva study of RockYou security breach