A recent data breach study has turned up damning evidence on the lack of security awareness with user-selected passwords.
Research firm Imperva conducted the Consumer Password Worst Practices study (PDF) following a major data breach at social networking site RockYou which made more than 32 million user passwords public.
An analysis of the leaked data showed that users are still selecting passwords that are easily guessed.
The study found that roughly a fifth of users had selected passwords that were among the 50,000 most common on the web. Among these were basic numerical sequences.
Nearly 300,000 of the compromised accounts used '123456' as a password, while an additional 79,078 selected '12345' and 76,790 users used '123456789'. Other commonly used passwords were 'password', 'iloveyou' and 'princess'.
By selecting such widely used passwords, users are leaving their accounts easily accessible to data harvesting, said Imperva. The report suggested that by using an automated 'brute force' tool based on the 50,000 common passwords list, an attacker could have harvested more than 1,000 account credentials in under 17 minutes.
"This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data," said Imperva.
"Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk."
The report was quickly picked up by authentication vendors such as VeriSign to show the need for additional account protection such as randomly generated codes.
"The shortcomings of weak passwords and the need for stronger authentication solutions are becoming more and more evident," a company spokesperson told V3.co.uk.
"One-time passwords via two-factor authentication provide a critical layer of security to counter such threats."
Others in the security community suggested stepping up the enforcement of best practices. Gartner vice president and research fellow John Pescatore suggested in a blog post that administrators should prod users to strengthen their login details.
"The passwords users create are the equivalent of them choosing front door locks that open with skeleton keys," wrote Pescatore.
"We will be stuck with passwords for a long time and, since users will complain no matter what we do to enforce password discipline, this little exercise points out that we should focus on annoying users by requiring strong passwords versus frequently changed passwords."
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches