http://arstechnica.com/security/2015/01/yes-123456-is-the-most-common-password-but-heres-why-thats-misleading/
By Mark Burnett
Ars Technica
Jan 22, 2015
I recently worked with SplashData to compile its 2014 Worst Passwords
List, and yes, 123456 tops the list. In the data set of 3.3 million
passwords I used for SplashData, almost 20,000 of those were in fact
123456. But how often do you genuinely see people using that, or the
second most common password, password, in real life? Are people still
really that careless with their passwords?
While 123456 is absolutely the most common password, that statistic is a
bit misleading. Although 0.6 percent of all users on my list used it, it’s
important to remember that 99.4 percent of the users on my list didn’t.
What is noteworthy here is that while the top passwords are still the top
passwords, the number of people using those passwords has dramatically
decreased. In 2011, my analysis showed that 8.5 percent had the passwords
password or 123456, but this year that number has gone down to less than
one percent. This is huge.
The fact is that the top passwords are always going to be the top
passwords, it’s just that the percentage of users actually using those
will—at least we hope—continually get smaller. This year, for example, a
hacker using the top 10 password list would statistically be able to guess
16 out of 1,000 passwords.
Getting a true picture of user passwords is surprisingly difficult. Even
though password is #2 on the list, I don’t know if I have seen someone
actually use that password for years. Part of the problem is how we
collect and analyze password data. Because we typically can’t just go to
some company and ask for all their user passwords, we have to go with the
data that is available to us. And that data has problems.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
