Once again a list of the most used passwords has revealed some obvious choices. And once again, that tells us nothing about the state of security.
As happens every year, SplashData (which by amazing coincidence is a password manager service provider) has published a list of the most common passwords, based on databases that have been hacked and then publicly released.
As also happens every year, the list is dominated by three main types of password: strings of digits in numerical order, strings of letters across the top row of a keyboard, and variations on the word “password.” This year it’s “123456” in top spot and “password” in second place.
And as happens every year, tech sites are full of analysis about how this tells us the public are terrible at choosing passwords and it’s a damning indictment of user stupidity that the most popular passwords are so obvious.
And as is now becoming something that happens every year, I’m going to point out this is nonsense. While, yes, many people do choose dumb passwords, this list proves nothing either way. Thinking it does is completely missing the circular logic involved:
The most popular passwords are bad because they are easy to guess. They are easy to guess because so many people use them.
In other words, no matter how good or bad the public is doing on security, the 25 most commonly used passwords will always, inherently, be stupid and easy to guess.
To get a better idea of how good password security is, we’d need to know factors like what percentage of people use predictable strings of characters or dictionary words, what length of password people are using, and whether people use the same password on different sites.
Indeed, the one genuinely useful statistic in the press release promoting the list, shows things are actually getting slightly better. Among all the passwords SplashData went through, the 25 most common made up 2.2 percent. That’s the lowest percentage in the five years it has been running the study.