The Most Common Password Is “123456”—But Not (Entirely) Because Humans Are Dumb

Number 16 is “starwars.” Number 71 is “killer.” Number 72, as if in response to killer, is just “aaaaaa.” And half of the top 10 include “12345.”

If you haven’t caught on, these are just a few selections from the top 100 commonly used passwords (pdf), a complete list of which has been making the rounds—and getting mocked by media—for the past several years. According to one report, security firm SplashData compiled the most recent list by analyzing more than 5 million user records leaked online this year.

There’s just one problem: You shouldn’t believe this list. We’re not saying it’s fake, but it is, well, complicated.

To start: How many accounts with passwords do you have? If you do most of your shopping, banking, utility-paying, dating, taxi-calling, financial planning, game-playing, food-ordering, newspaper-reading, plane-ticket-buying, cloud-storing, and bitcoin-investing online, then you probably have dozens.

Thus 5 million passwords, in a world where 3.2 billion people are online (and presumably each have at least one), is but a tiny, tiny fraction of the billions of passwords flying around the internet. And those are only the billions of passwords belong to living, breathing people. For today, we also live in a world of bots.

Bots aren’t always bad—sometimes they’re simply services that require an account to perform a programmed function. (Quartz’s Marvin Prime, who is a bot, explained this in his seminal article, “The best Twitter bots of 2015.”) But there are also millions of bot accounts that have no personal data attached, because there is no person attached to them. Programmers often pick simple, easy-to-remember passwords for these bots, like 123456. Or number 23 on the list, “whatever.” Or number 44: “cheese.”

Databases and other computer-to-computer services often require passwords to access, too. Which is all to say that you can’t extrapolate anything from a list like this, based on data like these, without introducing a whole lot of cognitive bias into the equation. And cognitive bias has no place on an internet powered by machines, even ones with artificial intelligence.

Still, you can extrapolate one thing with near-certainty from a list of 5 million stolen passwords: Your online data will eventually be stolen. If you’re in the U.S., in fact, flip a coin. Heads, you were a victim of the Equifax breach. Tails, you will probably get tagged by the next similar event.

So, what to do?

Here are some password resolutions for 2018:

• Change your passwords.
• Don’t use the same password for different accounts.
• Choose strong passwords you’ll actually remember.
• Freeze your credit report, if you haven’t already.
• Turn on two-factor authentication for any service that offers it.

And finally: Accept that, among the dozens of accounts you hold online, some of them probably aren’t properly hashing and encrypting personally-identifying information. Accept that secure passwords are nearly useless, given the way most data breaches occur (through targeted phishing attempts and large-scale hacks of corporate databases). Accept that no one has really invented a better way to handle this problem.

Perhaps Dave Matthews, the jam band, college rock poet bard of the mid-90s, said it best: Eat, drink, and be merry. For tomorrow we die*.

*Get hacked.