Imperva's Application Defense Center (ADC) recently published their analysis of last month's incident at social application site Rockyou.com, in which full details of more than 32 million user accounts were exposed in plain text. The attack was a face-palmingly trivial SQL injection one, and the exposed account data - everything having been stored in the clear - included user credentials, ie names and passwords, for social networks and other partner sites, such as MySpace, and webmail accounts. Nik Cubrilovic wrote about it then, in a TechCrunch article calling the RockYou platform "a Swiss cheese of security vulnerabilities and poor practices", and going on to enumerate the whys; it's a great exposé of its kind.
Anyway, back to this month, and the Imperva study. This analysed the full set of exposed passwords, 32 million and change. Previous studies have been confined to surveys; this is the first time such a large number of real-world passwords has been made available. Some of their main findings are:
- 30% use 6 characters or less;
- 50% are names, slang words, dictionary words, or otherwise trivial;
- 60% use a limited set of alphanumerics.
So here's the latest, top ten hottest passwords, as used on the Rockyou.com site:
The full report can be read here:
Hat tip to my colleague Chris, aka Scale This!, for pointing me at this study.