*Words, colors, years, names, sports, hobbies, and music groups were very popular. FYI, your girlfriend or boyfriend’s name isn’t that uncommon in most cases. I, too, luv Brandi, Bob, or Joe.
*The color red was twice as likely to be used in a password as blue. No other colors came close in popularity percentage-wise. I guess "chartreuse" is a relatively safe password choice.
*Other popular words include: angel, baby, boy, girl, big, monkey, me, and the.
*Cuss words were very popular. Boy, there’s a lot of aggression out there.
*I was surprised about how many Christian-sounding -- for example, "Ilovejesus" -- log-on names were associated with the worst cuss words.
*Names of sports -- golf, football, soccer, and so on -- were as popular as professional sports teams and college team nicknames.
*Certain specific letter combinations -- aa, ee, oo, dr, ea, lo, la, and so on -- appeared in a given password about 3 percent of the time.
One last note: The password list contained several e-mail/log-on account names from popular OS and software vendors. Although we can’t be assured that the passwords used on the exploited site were the same as the employee’s company password, I’m sure some are matches.
Remember this and learn from it: An exploited Web site that's completely unrelated to your company could still put your company at risk. Remind all employees not to use their company passwords on noncompany Web sites, if at all.
After going through all the files, I revealed no startling password distribution data. All of it backed up my previously published conjecture and studies (such as Perfect Passwords by Mark Burnett and The Great Password Debates by Dr. Jesper Johansson) by other friends.
And in case you’re wondering, hard-working network and security experts spent many hours notifying the ISPs and affected companies about their compromised users' passwords. Of course, I’m willing to bet that a moderate percentage of those contacted will not change their password because they will think the warning notice from their ISP is a phishing message. So they will delete it without responding or changing their password. That’s the world we live in at the moment.