NEW YORK–Back at the dawn of the web, the most popular account password was "12345."
Today, it's one digit longer but hardly safer: "123456."
Despite all the reports of Internet security breaches over the years, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like "abc123," "iloveyou" or even "password."
"I guess it's just a genetic flaw in humans," said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. "We've been following the same patterns since the 1990s."
Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and My- Space. The list was briefly posted on the web, and hackers and security researchers downloaded it.
The trove provided an unusually detailed window into computer users' password habits. Typically, only government agencies like the FBI or the National Security Agency have had access to such a large password list.
"This was the mother lode," said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.
Shulman said that about 20 per cent of people on the RockYou list picked from the same relatively small pool of 5,000 passwords. That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
"We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations," Shulman said. "The reality is that you can be very effective by choosing a small number of common passwords."
To improve security, some websites are forcing users to mix letters, numbers and even symbols in their passwords. Others, such as Twitter, prevent people from picking common passwords.