According to iMPERVA

In December 2009, a major password breach occurred that led to the release of 32 million passwords. Further, the hacker posted to the Internet the full list of the 32 million passwords (with no other identifiable information). Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.

The Imperva Application Defense Center (ADC) analyzed the strength of the passwords and here is what they found:
  • About 30% of users chose passwords whose length is equal or below six characters.
  • Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among account owners is "123456".

NASA provides the following Recommendations for strong password selection:
  1. It should contain at least eight characters.
  2. It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
  3. It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.

After the analysis of that over 32 mln exposed passwords, iMPERVA came to the following conclusion:
Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and soon).

Below are the top 20 common passwords in the database list:

Rank Password Number of Users with Password (absolute)
1 123456 290731
2 12345 79078
3 123456789 76790
4 Password 61958
5 iloveyou 51622
6 princess 35231
7 rockyou 22588
8 1234567 21726
9 12345678 20553
10 abc123 17542
11 Nicole 17168
12 Daniel 16409
13 babygirl 16094
14 monkey 15294
15 Jessica 15162
16 Lovely 14950
17 michael 14898
18 Ashley 14329
19 654321 13984
20 Qwerty 13856

And finally here are the Recommendations.

    1. Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir's advice is useful: "take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary."
    2. Use a different password for all sites – even for the ones where privacy isn't an issue. To help remember the passwords, again, following Bruce Schneier's advice is
      recommended: "If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence."
    3. Never trust a 3rd party with your important passwords (webmail, banking, medical etc.)

    1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords.
    2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
    3. Make sure passwords are not kept in clear text. Always digest password before storing to DB.
    4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical
      purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.
    5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises.
    6. Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.

What are your or the company you work for policies on this question?
Please share your thoughts and experience.