When it comes to passwords, people are lazy. There's just no other way to explain why 300,000 out of 32 million people would choose "123456" as their password.

The 32 million passwords in question belonged to the accounts accessed in a hacking attack late last year on RockYou, a social networking application company. On Thursday, data security vendor Imperva released a study that analyzed those passwords.

The second most popular password among RockYou users, according to Imperva, was "12345" with about 79,000, followed by the slightly more creative "123456789." Here's the top 10, with the number of instances in parentheses.

1. 123456 (290,731)
2. 1235 (79,078)
3. 123456789 (76,790)
4. Password (61,958)
5. iloveyou (51,622)
6. princess (35,231)
7. rockyou (22,588)
8. 1234567 (21,726)
9. 12345678 (20,553)
10. abc123 (17,542)

Add those up, and you get a lot of weak passwords -- low-hanging fruit for hackers' automated "brute force" password attacks. The next ten most popular passwords listed by Imperva include winners like "Qwerty" and "654321."

Noting that the RockYou breach offered up a unique opportunity to study a massive amount of passwords, Imperva CTO Amichai Shulman said that "everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second -- or 1,000 accounts every 17 minutes."

Added Shulman: "Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456.'"

According to the report, nearly all of the 5,000 most popular passwords (good for one-fifth of the exposed accounts) were names, slang words, dictionary words or a combination of consecutive digits or adjacent computer keys. Thirty percent of the accounts had passwords with six or fewer characters.

So what should enterprises do about this? Among Imperva's recommendations for administrators is establishing and enforcing a strong password policy; ensuring that passwords aren't transmitted in clear text; putting obstacles like CAPTCHAs in the way of brute-force attacks; making employees change their passwords on a regular basis, and when there has been a potential compromise; and encouraging the use of passphrases rather than passwords.

But honestly, you'd think people would begin to realize how vulnerable they make themselves (and their employers) when the best password they can come up with is "abc123."