Hackers don't always have to target the obvious bullseye in order to take over their mark. Usually an ancillary target provides all the access you need. Recently, a site known as rockyou.com was breached with a common SQL injection vector to reveal 32 million user passwords and email accounts stored in plaintext. The site provides plug-ins and applications to such social networking sites as MySpace and FaceBook where user logins between systems are often authenticated on a shared basis. Security researchers Imperva decided to take a look at the unmasked passwords to get a feel for the awful password practices [pdf] from the "common internet user." Without going into too much detail, users failed to even remotely use complex passwords and when not found immediately in a dictionary lookup would easily be compromised for short length or limited keyspace. The most commonly used passwords included:

• variations of simple number sequences (12345, 654321, etc)
• catch phrases or letter sequences (Password, princess, iloveyou, Qwerty, abc123)
• names (Nicole, Daniel, Jessica, Michael, Ashley)