X

Most popular passwords still terrible

Using data from a keylogging attack that compromised 2 million email and social networking accounts, Spiderlabs has revealed that the top 10 most popular passwords are also the most stupid.

Michelle Starr Science editor
Michelle Starr is CNET's science editor, and she hopes to get you as enthralled with the wonders of the universe as she is. When she's not daydreaming about flying through space, she's daydreaming about bats.
Michelle Starr
2 min read

Using data from a keylogging attack that compromised 2 million email and social networking accounts, SpiderLabs has revealed that the top 10 most popular passwords are also the most stupid.

(Lock image by Tomascastelazo, CC BY-SA 3.0)

Pony is a botnet controller that's been doing the rounds for a little while now. It uses a keylogger malware to collect passwords, which it then sends to a server, traced to the Netherlands by Trustwave's SpiderLabs, a team of "ethical hackers" dedicated to improving web security.

Looking at the data collected by Pony version 1.9, SpiderLabs discovered that just under 2 million accounts had been compromised, most of which were for websites, including social networks. Most of the passwords were from Facebook (318,121), followed by Google (70,532), Yahoo (59,549) and Twitter (21,708).

And, depressingly, the 10 most popular passwords were the ones system administrators cringe at.

  1. 123456 (15,820 instances)

  2. 123456789 (4875 instances)

  3. 1234 (3135 instances)

  4. password (2212 instances)

  5. 12345 (2094 instances)

  6. 12345678 (2045 instances)

  7. admin (1991 instances)

  8. 123 (1453 instances)

  9. 1 (1224 instances)

  10. 1234567 (1170 instances)

  11. 111111 (1046 instances)

To put that in perspective, the top 10 passwords, SpiderLabs said, make up around 2.4 per cent of the total password count. That may not seem like much — but it's significantly higher than the 0.9 per cent the group calculated from 2006, especially when you consider that there are vastly more web services, and therefore passwords required, than there were seven years ago.

Now, because Pony uses a keylogger to attack, there's not much a stronger password could achieve; a keylogger, as the name suggests, logs the user's keystrokes. However, a strong password can offer better protection against the more commonly used brute-force attack, which guesses at passwords until it gets the right combination.

To protect against keylogger attacks, there are several steps you can take. Firstly, use a good antivirus program, and update it regularly to make sure it supports all the newest malware and virus definitions. Secondly, wherever possible, use two-factor authentication. This usually takes the form of a code text messaged to your phone, and it's a different code every time you log in. Without that code, hackers will have a significantly harder time getting access to your account.

You can read the rest of SpiderLabs' report on its website, and find some tips for creating a strong password here.