Worst Passwords List Is Same Old $h1T

WTF-Picard-meme

The annual list of the “worst passwords” has again failed to tell us anything useful about security, thought perhaps provided a little (predictable) detail about popular culture.

As always happens this time of year, a publicity-seeking company behind a password manager application has put together a list of the 25 worst passwords by simply counting up which ever ones appeared most often in leaked databases that showed up online last year.

As always it’s prompted a flurry of stories about how Internet users are dumb because they continue to use obvious passwords, with 123456 and password always vying for the top spot.

And as always, that’s a completely idiotic conclusion because the list tells us nothing about how secure the average password is. The most used passwords will always be obvious by definition. Drawing lessons from this is like looking at the list of the 25 most popular names for new babies and deciding it tells us that the population as a whole chooses popular names.

To get even a mediocre insight into overall levels of password security we’d need data on average password length, what percentage of people use dictionary words, and what percentage of people use digits and symbols.

The only real insight into security habits from the list is that few folk fall into the category of being aware of the dangers of an easily-guessable password but haven’t exactly come up with the best responses. One new entry in the list is passw0rd, which has to be an example of taking the smallest possible step towards security. Another new entry is 1qaz2wsx, which presumably will disappoint those who thought they’d come up with something original.

As for cultural lessons, baseball has overtaken football as a password, while princess, solo and starwars have all popped up as new entries.