Imperva analyzed the strength of the passwords -- which were posted by the attacker online after the hack -- and discovered that consumers still aren't taking strong-password creation to heart. Among the data Imperva released: Thirty percent of all users had passwords of six characters or less, and 60 percent had passwords selected from a limited set of alphanumeric characters.
Close to half of the passwords used names, slang terms, dictionary words, or passwords with consecutive digits or from adjacent keys, according to Imperva's report (PDF).
RockYou, a site that offers widgets for social networking developers for MySpace, Facebook, and others, was hit by a major SQL injection attack that led to the exposure of its usernames and passwords. The hacker, who goes by "igigi," demonstrated in a blog post how he was able to get data from the site's unsecured database, which stored data in the clear. He listed the passwords, but not the usernames.
According to Imperva's findings, the top passwords in the database were (in order): 123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123.
"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second -- or 1000 accounts every 17 minutes," said Amichai Shulman, CTO of Imperva, in a statement. "The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.