Back at the dawn of the Web, the most popular account password was "12345."
Today, it's one digit longer but hardly safer: "123456."
Despite all the reports of Internet security breaches over the years, including the recent attacks on Google's e-mail service, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like "abc123," "iloveyou" or even "password" to protect their data.
"I guess it's just a genetic flaw in humans," said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. "We've been following the same patterns since the 1990s."
Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)
The trove provided an unusually detailed window into computer users' password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.
"This was the mother lode," said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.
Pebble
show you the top 20 passwords used below:
1) 123456
2) 12345
3) 123456789
4) password
5) iloveyou
6) princess
7) rockyou
8) 1234567
9) 12345678
10) abc123
11) nicole
12) daniel
13) babygirl
14) monkey
15) jessica
16) lovely
17) michael
18) ashley
19) 654321
20) qwerty
But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.
Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.
"It's like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy," Mr. Moss said. "You just want to run that bit faster."