Is 123456 Really The Most Common Password? by Mark Burnett.
From the post:
I recently worked with SplashData to compile their 2014 Worst Passwords List and yes, 123456 tops the list. In the data set of 3.3 million passwords I used for SplashData, almost 20,000 of those were in fact 123456. But how often do you really see people using that, or the second most common password, password in real life? Are people still really that careless with their passwords?
While 123456 is indeed the most common password, that statistic is a bit misleading. Although 0.6% of all users on my list used that password, it’s important to remember that 99.4% of the users on my list didn’t use that password. What is noteworthy here is that while the top passwords are still the top passwords, the number of people using those passwords has dramatically decreased.
The fact is that the top passwords are always going to be the top passwords, it’s just that the percentage of users actually using those will–at least we hope–continually get smaller. This year, for example, a hacker using the top 10 password list would statistically be able to guess 16 out of 1000 passwords.
Getting a true picture of user passwords is surprisingly difficult. Even though password is #2 on the list, I don’t know if I have seen someone actually use that password for years. Part of the problem is how we collect and analyze password data. Because we typically can’t just go to some company and ask for all their user passwords, we have to go with the data that is available to us. And that data does have problems.
Unlike cybersecurity alarmists, Mark has an acute sense for the difficulties in his password data.
Mark’s questions about his data make a good template for questioning the “data” used in other cybersecurity reports. Or to put it another way, cybersecurity reports that don’t ask the same questions should be viewed with suspicion.
Somewhat dated now but Mark has also authored: How I Collect Passwords which should give you some tips on collecting passwords and possibly other data.
I first saw this in the CouchDB Weekly News, February 03, 2015.