Rockyou.com is a website where users can develop apps to use on social networking sites. Last December, a hacker gained access to all of Rockyou’s members’ usernames, email addresses and passwords (which had been stored in plain, unencrypted text) and posted the passwords to the Internet.

Given that many people use the same username and password for all of their online dealings, such as banking, the results could have been disastrous. Fortunately, the perpetrator seemed to be mainly interested in exposing Rockyou’s insufficient security, as they didn’t post the usernames or emails.

“The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism,” said (right) Imperva CTO Amichai Shulman. “Never before has there been such a high volume of real-world passwords to examine.”

Imperva analysed the hacked data, and compiled their Consumer Password Worst Practices report. Of the 32m passwords involved, the most common ten are:
123456
12345
123456789
 Password
 iloveyou
 princess
 rockyou
1234567
12345678
abc123

It was found that almost half of the members used names, slang words, proper words, or trivial passwords such as consecutive digits, or adjacent keys on the keyboard.

Imperva recommendations
It should contain at least eight characters (30% of users had passwords that were six letters or less).
It should contain a mix of four different types of characters (i.e: upper case, lower case, numbers, symbols).
It should not be a name, word, or contain any part of your name or email address.

The report also suggests using a different password for every website (tall order!) not sharing passwords with third parties, and using the first letters of each word in a sentence as your password (eg “this little piggy went to market” would be “tlpWENT2m”).