RockYou Breach Reveals More Lazy ‘123456’ Passwords

by techtiptom

Originally posted on on 08/27/2010:


We thought we had this all sorted out some time ago. If you choose an easy-to-guess password — like, say “123456” — it puts your accounts and personal data in danger. So we were horrified a few months ago when a sampling of 10,000 hacked Hotmail, MSN, and accounts revealed that the most popular password was, in fact, “123456.” But, like most other tech blogs and magazines, we rushed to your rescue, dear reader. We offered advice for strengthening your passwords and managing a cadre of unique phrases for all of your different accounts.

Two months later, in December, RockYou, maker of obnoxious social networking apps like ‘GlitterText’, suffered a security breach that exposed the e-mails and passwords of some 32 million users. So, when it was discovered that the most popular password was, yet again, “123456,” we were less worried and more disappointed. Looking at the top 10 passwords used by RockYou users reveals that an alarming number of surfers are both careless and lazy.

Here’s the top 10, in order of popularity:
1. 123456
2. 12345
3. 123456789
4. password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
Even those who didn’t choose absurdly obvious passwords failed when it came to picking an appropriate length; almost 50-percent had fewer than eight characters. Less than 10-percent had at least 10 characters — our suggested minimum. There was also a disturbing lack of variety among the exposed data. The most popular 5,000 passwords accounted for 20-percent of the list. That doesn’t seem too bad — till you realize that means almost 6.5 million users were drawing from the same comparatively small well of 5,000 passwords.

Amichai Shulman, CTO of security software company Imperva, told the New York Times, “I guess it’s just a genetic flaw in humans,” referring to people’s seeming unwillingness to properly protect their accounts. We won’t waste any more time instructing you on what to do. We’ve covered that ground before.