Most people are clueless as to how accounts are hacked and their passwords reflect that. If you find anything in common with the most common passwords below you have a weak password. This is to help people choose a strong password and possibly help site admins understand the risks.
1. 1 More..23456, 123, 123123, 01234, 2468, 987654, etc
2. 123abc, abc123, 246abc
3. First Name
4. Favorite Band
5. Favorite Song
6. first letter of given name then surname
7. qwerty, asdf, and other keyboard rolls
8. Favorite cartoon or movie character
9. Favorite sport, or sports star
10. Country of origin
11. City of origin
12. All numbers
13. Some word in the dictionary
14. Combining 2 dictionary words
15. any of the above spelled backwards
16. aaa, eee, llll, 999999, and other repeat combinations
Some sites force you to have passwords with both numbers and letters. For example bob's password is football, and the site asks him to add some numbers to it to make it valid. Here's what people usually add.
Years are usually added in different ways: football85, football1985, football04 instead of football4. There's also the possibility of sub-connections like football_04 and football-84. Many sites require both numbers and letters so these are a more likely occurance since people tend to want to have the same pass for everything.
News broke that hackers had accessed the private Yahoo e-mail account of GOP vice presidential candidate Sarah Palin. They exposed a few innocuous e-mails, but the incident surely left many wondering whether the same thing could happen to them.
Many computer users stick to obvious passwords, and rely on the same one for all of their accounts. According to InTechnology.com, these are the 10 most common passwords.
10. (your name)
If they have hacked and downloaded the entire database it's 10000 times faster than if they send requests guessing your passwords on certain websites. Most decent comps can check easily thousands possibilities per second.
Most malicious hackers just wait for security update news. Whenever some forum or cms software like drupal, vbulletin, phpbb or invision board releases a security update, they try and find what the discovered exploit was. They google search for forums that may have the affected system and use the exploit. Forums can give tons of emails / passwords.
The ones who are skilled enough and actively attempt to discover the exploits are more rare.
Even worse is when the skilled programmers make simple automated exploit programs for script kiddies to use without even understanding the code. This is where the majority of the attacks come from, losers that use programs made by hacker and call themselves hackers.
It's super rare that you would be targeted or your password has been hacked from large sites like google, hotmail or myspace. Most of the big sites have capchas and DDoS protection, which cripples speed, It's more likely they hacked some other site that you long forgot about and found more passwords in your email. Most people get hacked from phising attempts or other forms of social engineering rather than real hackers. People also get trojans from opening email extensions and downloading pirate stuff off p2p without a decent antivirus. Hackers with skills enough to find open ports / exploit them and get shell access are much more rare than people claim.
Most are stored as md5 hashes. If your password is stored without encryption you are screwed if they get screwed. It doesn't matter how long your password is. Sites like thepiratebay and stage6 have gotten their passwords stolen, don't think it can't happen to big sites. You can tell if a site encrypts your password by using their password recovery form. If it gives you your password your password is not encrypted. If it asks you to enter a new one or it generates a password for you, it has your password encrypted.
Sites like milw0rm and plain-text have millions, maybe billions of precomputed hash values in what are called rainbow tables. People can enter hashes in limited quantities to put on queue for cracking. md5 is a one-way hash, meaning it can't be decrypted. Instead, they try every possible combination in a limited range. Other sites are just searchable databases of hashes. You still should be ok if your pass is over 8 characters long. Some sites do double md5s or concatenate md5 encrypted passwords with an encrypted "salted" value, then encrypt the whole thing again. This prevents rainbow tables, but does not prevent brute force attacks. Brute force attacks use word lists separated by line breaks which are widely available around the net and can be easily created.
Contrary to popular belief and the Hollywood culture, hackers are just people that can manipulate things on a bits and bytes level. They're excellent programmers and the majority do not engage in illegal activity. Making something do what it wasn't intended to is exploiting, not hacking.
source ......... http://www.liveleak.com