“123456” was the most popular password among the millions of Adobe users whose details were stolen during an attack on the company.
About 1.9 million people used the sequence, according to analysis of data lost in the leak.
Online copies of the data have let security researchers find out more about users’ password-creating habits.
The analysis suggests that many people are making it easy for attackers by using easy-to-guess passwords.
Word games
On 4 October, Adobe reported that its systems had been penetrated by attackers who had stolen the online credentials for millions of its users.
Early reports suggested about 2.9 million records had been compromised.
Top 20 passwords
- 123456
- 123456789
- password
- adobe123
- 12345678
- qwerty
- 1234567
- 111111
- photoshop
- 123123
- 1234567890
- 000000
- abc123
- 1234
- adobe1
- macromedia
- azerty
- iloveyou
- aaaaaa
- 654321
On 30 October, this figure was revised, with Adobe saying information about 38 million active users had gone astray.
In total, information about more than 150 million accounts was stolen – but many of the other accounts were disused, abandoned or duplicates.
Adobe has now shut down all the compromised accounts, saying it will only reopen them once passwords have been changed.
Copies of the data that was exposed by the breach have begun circulating online and inspired security researcher Jeremi Gosney to go through it working out which password was most popular.
Top of the list, with 1.9 million entries, was the “123456” string of numbers. Second was the slightly longer “123456789” sequence.
Other popular easy-to-guess passwords included “adobe123”, “qwerty” and “password”.
Mr Gosney said the results of the analysis should be treated with caution because, so far, no-one had access to the keys that Adobe used to encrypt the data.
However, he added, flaws in the way Adobe had stored and encrypted passwords along with clues in the giant file of data had made it possible to draw up a list that he was “fairly confident” was accurate.
Computer security researchers who study password-creating habits have also seized on the data dump as a way to refine the word lists they use to attack login systems in a bid to make them more secure.
Lists of passwords and email addresses are a boon to attackers not just because they can be used to get access to the systems they were supposed to secure. Many people re-use the same password for different services potentially giving attackers a way into other networks.