[ISN] Yes, 123456 is the most common password, but here’s why that’s misleading

http://arstechnica.com/security/2015/01/yes-123456-is-the-most-common-password-but-heres-why-thats-misleading/ By Mark Burnett Ars Technica Jan 22, 2015 I recently worked with SplashData to compile its 2014 Worst Passwords List, and yes, 123456 tops the list. In the data set of 3.3 million passwords I used for SplashData, almost 20,000 of those were in fact 123456. But how often do you genuinely see people using that, or the second most common password, password, in real life? Are people still really that careless with their passwords? While 123456 is absolutely the most common password, that statistic is a bit misleading. Although 0.6 percent of all users on my list used it, it’s important to remember that 99.4 percent of the users on my list didn’t. What is noteworthy here is that while the top passwords are still the top passwords, the number of people using those passwords has dramatically decreased. In 2011, my analysis showed that 8.5 percent had the passwords password or 123456, but this year that number has gone down to less than one percent. This is huge. The fact is that the top passwords are always going to be the top passwords, it’s just that the percentage of users actually using those will—at least we hope—continually get smaller. This year, for example, a hacker using the top 10 password list would statistically be able to guess 16 out of 1,000 passwords. Getting a true picture of user passwords is surprisingly difficult. Even though password is #2 on the list, I don’t know if I have seen someone actually use that password for years. Part of the problem is how we collect and analyze password data. Because we typically can’t just go to some company and ask for all their user passwords, we have to go with the data that is available to us. And that data has problems. […]