According to a report, most users still haven't answered the call by   
security experts to implement more robust passwords. In fact, in a    
list of the most easy to hack passwords, simply typing '123456' took a    
truly forgettable top prize.
  Security firm Imperva recently released its list of the passwords most   
likely to be hacked based on 32 million instances of successful    
hacking. Imperva named their report "Consumer Password Worst    
Practices," and some of the entries near the top are truly simple. Here’s a LINK to the report.
   
  Worst Password Practices
  The top three passwords all included the simple streaming of numbers:    
first '123456' followed by '12345' and then '123456789'. Similar    
entries reappeared at eight and nine on a top ten list. However, the    
fourth most-hacked password was actually just the word 'Password'    
followed by 'iloveyou' and 'princess' at spots five and six. (Source:    
computerworld.com)
  What the report shows is that people still aren't using effective   
strategies to protect their sensitive information online. Using these    
kinds of passwords to protect your email account or, worse yet,    
banking information, could lead to theft or identity fraud.
  Top 10 Worst Passwords
  The following is a list of the most predictable passwords, and should    
not be used under any circumstances (Source: pcworld.com):
  1. 123456   
2. 12345    
3. 123456789    
4. Password    
5. iloveyou    
6. princess    
7. rockyou    
8. 1234567    
9. 12345678    
10. abc123
  How to Strengthen Your Passwords
  Other key findings in the report: it seems that almost 1 in 3 users   
choose passwords comprised of six or fewer characters; more than half    
use passwords based on only alpha-numeric characters; and almost 50    
per cent used variations on their name, popular slang terms, or simple    
strings of consecutive characters from the average QWERTY keyboard --    
such as 'asdfg'.
  Imperva has made several obvious recommendations, suggesting most   
users adopt passwords with at least eight characters and to mix those    
characters between upper and lower case letters, numbers, and symbols:
  Recommendations
  Users:
     1. Choose a strong password for sites you care for the privacy of the information you    
store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password.    
Something like “This little piggy went to market” might become "tlpWENT2m".    
That nine-character password won't be in anyone's dictionary.”     
2. Use a different password for all sites – even for the ones where privacy isn’t an    
issue. To help remember the passwords, again, following Bruce Schneier’s advice is    
recommended: “If you can't remember your passwords, write them down and put    
the paper in your wallet. But just write the sentence – or better yet – a hint that    
will help you remember your sentence.”
  3. Never trust a 3rd party with your important passwords (webmail, banking,   
medical etc.). If you can’t remember them all, write them down and keep them in your wallet.    
  Administrators:
         
 1. Enforce strong password policy – if you give the users a choice, it is very likely that    
they would choose weak passwords.    
  2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login.   
3. Make sure passwords are not kept in clear text. Always digest password before    
storing to DB.
     
4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute    
force attacks on login credentials. Make these attacks too slowly for any practical    
purposes even for shorter passwords. You should actively put obstacles in the way    
of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.
     
5. Employ a password change policy. Trigger the policy either by time or when    
suspicion for a compromise arises.
     
6. Allow and encourage passphrases instead of passwords. Although sentences may    
be longer, they may be easier to remember. With added characters, they become    
more difficult to break.    
  Passwords should be simple enough that they won't be too easily   
forgotten, but the idea is to make cracking the code virtually    
impossible for either an unknown or known hacker.