The tech media is once again reporting on a list of the world’s “worst” passwords. And once again, the list has some serious inherent limitations.
This particular list comes from SplashData, which not so coincidentally develops password management software. It’s put together a list of the 25 worst passwords, the criteria being how frequently they appeared in password databases that have been stolen.
The top five in the list is the same as in a similar survey last year, but in a slightly different order. From one to five it’s 123456, password, 12345678, qwerty, abc123. The rest of the list includes old classics such as admin, letmein, princess, monkey and, in what is surely the most token of gestures towards enhanced security, password 1.
How reliable the data really is can certainly be questioned: two new entries include adobe123 (in tenth place) and photoshop (in 15th place.) Of course, that’s largely because a large breach of Adobe’s passwords is among the source material used for the list.
The real problem, though, is that the list is largely meaningless in terms of telling us about overall security among users. The fact that it’s made up of clearly easy-to-guess passwords doesn’t mean the general public is doing a bad job of picking passwords.
By definition, the better your password is, the less likely it is that somebody else is using it. In turn, the more widely-used a password is, the more likely it is that it’s something that is “obvious” and easy to guess. Pointing to the list and saying “duh, the most popular passwords are all dumb” is completely missing the point that this is an inherent characteristic of such a list.
What would be more informative would be to know how widely the “worst” passwords are being used. For example, if the 25 most-used passwords made up a lower proportion of all passwords this year than last year, we’d get a sign people are giving more thought. Similarly, data on the median length of passwords, or the proportion of passwords containing different types of character, might give us a better picture.