In Dec. 2009, a hacker stole 32 million passwords from the site Rock You.  According to a Jan. 2010 article from The New York Times, the list briefly appeared online and was downloaded by hackers and security experts alike.  While both parties had very different reasons for obtaining such a list, security experts like Amichai Shulman, the chief technology officer at Imperva, discovered that people haven’t changed their password habits much since the 1990’s.

What Mr. Shulman discovered was that 20 percent of the passwords came from a pool of 5,000 standard phrases.  The most used password?  “123456” … minus the quotation marks, of course.  “I guess it’s just a genetic flaw in humans,” he told the newspaper.

rock you passwordsAlso in Dec. 2009, it was discovered that Twitter had blocked the use of 370 potential passwords, and that Valleywag had posted the full list of which the microblogging service felt were just to easy to hack.  The list was disturbing in that people actually felt these passwords were a good choice.

You might think that something like your Rock You account isn’t that important, but once someone gets access to one of your accounts, it isn’t hard for them to extrapolate the idea that you may have used similar information elsewhere on the Web.  Do you want someone in your Facebook account?  Do you want them on your Twitter account posting spam or hateful messages?  Do you want them in your Amazon account messing with your orders?  How about getting into your e-mail and reading all of your private correspondence?

As social media continues to expand, and we continue to join more and more services, this necessitates the use an ever growing list of passwords.  Sure you don’t want to remember a ton of them, and it isn’t a good idea to use the same password on more than one site, but you certainly can be more creative than “123456”.  Would it be so hard for you to take the name of your first pet and the age you were when you got it?  How about throwing in some characters to replace letters?  For instance “t3chn0buffa10” (those are zeros instead of the letter o … and, no, that isn’t my password here)

The list of the the 32 most used passwords on Rock You are a hacker’s dream.  A simple script could enter those in a heartbeat, and one out of five times they would have gained access to the account.  You shouldn’t think of remembering a password as a burden or a bother, but as a necessity to protect your online identity.  If you don’t think you can remember them all, there are a lot of good, free, password management options out there, and we would encourage you to use one.

So, what should you take away from this?

  • Don’t use something as common as 123456
  • Don’t use the same password on multiple sites
  • Be creative with your password choices, and if a site lets you use special symbols, do so

No one wants to wake up to a hacked Club Penguin account.