What did their analysis conclude? Short passwords, lack of lower-capital-numeric characters mix, and trivial dictionary words, which every decent brute forcing/password recovery application can find out in a matter of minutes.
Key findings include:
- In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
- About 30% of users chose passwords whose length is equal or below six characters
- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”
The rest of the passwords rated by popularity:
SO What do we do as Administrators to prevent all this. First, stop using 'citi1' as the default password on your servers, DCc, Bank Accounts and so on.. Thesa knows it and everyone else in your class.. .. Other than that here are more best and worst practices.