The Unexpected Word That Shows Up on Every Hacked-Password List

iStock
iStock | iStock

Every year, security-focused companies like SplashData release lists of the year's most hacked passwords, inevitably prompting us to ask, "Why would you make your password password?" In 2017, the most popular passwords list included longtime mainstays like 123456, qwerty, and, of course, password.

We get it, people aren't creative when they're coming up with their thousandth password. But WIRED (warning: paywall ahead) alerts us to one mainstay password that stands out from the pack, one that appears regularly on hacked password lists but has none of the obvious origins of passwords like hello or login. People love to make their password—drum roll, please—dragon.

WIRED investigated just why so many internet users use dragon to unlock their accounts, taking the question to password experts and security researchers.

Part of the reason, the magazine found, might just be related to the biases of these lists. They pull from leaked data from hacked sites, a dataset that doesn't always represent everyone on the internet. Depending on the user base of those hacked sites, the passwords also might represent specific groups (say, young dudes) who have more of a tendency to shout their love of fantastical winged reptiles from the rooftops.

The sites that get hacked and have their password data leaked to the world may not have had great security controls in the first place, either. Users might not have had to come up with extra numbers and special characters when generating a password. And the single-word dragon isn't as difficult for hackers to decode as some other passwords, so it's liable to be leaked. According to Keeper Security, many hackers can break a seven-digit password made up of upper- and lower-case letters and numbers in 10 seconds. Since dragon has already proved itself to be so popular, a hacker will probably go ahead and test that one out early.

Several people told WIRED they have used dragon as a password for years, just because, you know, they liked dragons. If you're a fan of Dungeons and Dragons, Harry Potter, Lord of the Rings, Game of Thrones, or, maybe even How to Train Your Dragon, dragon might be a super simple password to remember. And, because most people don't change their passwords as often as they should, you probably use it over and over again.

A similar reason might explain why words like football, monkey, and starwars often appear on these lists [PDF] year after year as well. People love football, monkeys, and Star Wars. Unfortunately, so do hackers.

Read the full rundown of why people love dragon—and why it's not a great way to protect the pile of gold that is your online data—here. As always, we will leave you with this reminder: Get a password manager. You don't want to end up as an embarrassing statistic on a password-shaming list.