A new study from Department of Computer Science, Virginia Tech, has highlighted the weakness in passwords used by people.
It won't come as a surprise that people still use "qwerty" and "123456"

The research used a password guessing algorithm, and most of you won't be surprised to know that 46.5% of of passwords were guessed within 100 attempts.

To measure the number of vulnerable password pairs, we use the 0.1%-trained model to guess the rest 99.9% of the password pairs.
Since we guess both directions, the testing data essentially has 14 million passwords. Within 10 attempts, we guessed 30% (4.2 million passwords) — 3.8 million password pairs are cracked for at least one direction. Together with the identical password pairs (12.8 million), over 16.6 million pairs can be cracked within 10 attempts.

Here's the paper (PDF) [people.cs.vt.edu...]