Database security firm Imperva obtained a list of the records exposed during the account breach, and analyzed them to see which passwords showed up the most. After crunching the numbers, it found that only 0.2% of RockYou's compromised customers were using what NASA would describe as a strong password.
Its report highlighted a predictably obvious set of entries topping the list of most commonly used passwords:
- 123456
- 12345
- 123456789
- Password
- iloveyou
- princess
- rockyou
- 1234567
- 12345678
- abc123
A total of 290 731 RockYou users used "123456" as their password, with over 155 000 using a password of either "12345" or "123456789". Amazingly, over 61 000 RockYou users had the word "Password" as their password.
Not only does this make dictionary attacks viable – in which common words and phrases are used to try and break into accounts – but it also makes other types of attack possible.
"The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as 'brute force attacks'", said the company in a statement. Brute force attacks simply try every combination of digits in a word of a given length until it finds the right match. Thirty percent of users chose a password with six characters or less, Imperva's report said.
RockYou, which develops applications for social network sites such as Facebook and MySpace, reported the breach in December. It advised users that it would be taking measures to prevent the problem from happening again. Notably, it said that it would encrypt the paswords that it stored, upgrade legacy platforms, and review current data security practices. RockYou is now the subject of a lawsuit from angry customers.
Imperva recommended using a password of at least eight characters in the report on RockYou's password distribution. It also suggested using a mixture of different character types, such as upper and lower case letters, along with numbers, and symbols.