Why is “password” such a popular password…

… and why wasn’t it popular at LinkedIn?

Studies of databases cracked from various sites over the years have consistently shown the word “password” to be prominent among the world’s most common passwords, usually in the number 1 spot.

Yet in the recently lifted LinkedIn database the most common password appears to have been “link”, with “password” apparently appearing nowhere in the top 25.

 

Once upon a time—over 20 years ago—a friend told me she’d had a great idea. She should set her Unix system password to “password”. Nobody would ever guess it. It would be hiding in plain sight.

I didn’t think it was a good idea, but I do remember thinking it was a novel one. I don’t know how serious she was. Certainly not serious enough to have actually done it: even then we were aware that “password” was a bad password because it was a word and words will be guessed sooner or later.

Since then “password” has repeatedly come up as a common real choice for passwords.

Why so popular?

  • Does everyone have the same great idea as my friend did?
  • Are they wildly casting around for anything they can type in the field, and “password” just happens to be the word sitting next to it?
  • Are they choosing it deliberately in order to maximise their chance of remembering it next time?
  • Is there some cultural thing I’ve missed, maybe a film in which “password” is shown as someone’s password that seeded all the subsequent uses?

I suppose another possibility is that it’s the default password set by some admin tool. I can’t remember ever seeing an admin tool that did that myself, though, and I’ve seen a few.

 

Some years later, a colleague handed me a laptop to use for a demo.

“The user name and password are on a Post-It note on the screen”, he said. “So you mustn’t lose it, or we’ll be stuffed.”

I opened the laptop and there was the Post-It note.

“Username: admin”, it said. “Password: password”.

 

But why doesn’t it appear in the top 25 passwords from the LinkedIn database?

Is the analysis wrong?

I’d like to think that LinkedIn had measures in place to prevent people from setting such simplistic passwords, but, um, most of the other popular choices are equally simplistic.

And a company that loses 6.5m hashed-but-not-salted passwords probably isn’t doing much else for password security.

Besides, “password” does appear in the database, by all accounts. (I haven’t seen the SHA-1 database myself.) It just wasn’t among the popular ones in that particular analysis.