password-photo1

These top 20 passwords came from a list of 32 million passwords revealed during a security breach in December. ((Imperva))

A California company has found that computer users consistently choose weak passwords, with the most common one being 123456.

The second-most common password is 12345, followed by 123456789. And the fourth most common password is "password."

You can see where this is going.

The report by California internet security firm Imperva concludes many people choose passwords that could be easily hacked, and they've been making bad password choices for nearly two decades.

The firm compiled the report after getting access to 32 million passwords that had been posted briefly to the internet in a major security breach in December. A hacker posted them to the internet after hacking into Rockyou.com, an internet ad company with links to Facebook, MySpace and other social networking sites.

"The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism," Amichai Shulman, Imperva's chief technology officer, said in a news release Thursday. "Never before has there been such a high volume of real-world passwords to examine."

Of 32 million passwords, more than 290,000 were 12345, the report found. Twenty per cent of the passwords were common names and slang or easily remembered number combinations.

This is all fertile ground for hackers, the report said.

"To quantify the issue, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account in every second, or a mere 17 minutes to break into 1,000 accounts."

The authors cited several studies dating back to 1990 showing that when people picked passwords, they generally cared more about being able to remember them than about security.

An internet search by CBC News turned up even earlier studies of poor password choice. A 1979 study of Unix users found most passwords were just four letters or numbers long.

In 2006, an examination of 34,000 MySpace passwords found that 65 per cent contained eight characters or less. Among the most common passwords for MySpace: abc123 and password.

"This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data," the Imperva report concluded.

Imperva's analysis found that about 30 per cent of users chose passwords of fewer than seven characters. Nearly 50 per cent of people used names, slang words, dictionary words or trivial passwords — consecutive digits, adjacent keyboard keys and so on.

Imperva recommends that passwords contain a minimum of eight characters. They should include a mix of four different types of characters: upper case letters, lower case letters, numbers and special characters such as !@#$%^&*.