Each year since 2011, the security firm SplashData has released a list of the most commonly used passwords, based on caches of leaked account credentials. The annual list, intended as a reminder of humanity’s poor password practices, always includes predictable entries like “abc123,” “123456,” and “letmein.” But one entry, finishing in the top 20 every year, has stood out since the beginning: “dragon.”
But why? Is it because of the popularity of the television adaption of Game of Thrones, which first premiered the same year as the popular passwords list? Is it because so many Dungeons & Dragons fans got their accounts pwned? Well, maybe, in part. But the most convincing explanation is simpler than you might think.
Chasing the Dragon
The “dragon” phenomenon does not appear to be a quirk of SplashData’s password analysis methodology. The creature took the 10th spot last year on another top passwords list, this time created by WordPress platform WP Engine, using data compiled by security consultant Mark Burnett. Dragon doesn’t show up on a 2016 list created by Keeper Security, but that one took into consideration accounts likely created by bots. And the top 100 passwords have stayed relatively stable through the years, largely ruling out a Game of Thrones spike.
“I believe in my book I even listed hundreds of passwords that contain the word ‘dragon,'” says Burnett, whose Perfect Passwords came out in 2005. “People often base their passwords on something that’s important to them; apparently dragons fall into that category. And between D&D, Skyrim, and Game of Thrones, dragons have played a big part in our culture.”
The way researchers examine password data in the first place may also contribute to dragon’s popularity. While tens of thousands of people likely really use it, the kind of password data that researchers have access to comes with some inherent biases. Academics can’t call up a company and ask it to hand over customer passwords, so they instead largely rely on credentials that get hacked and leaked to the public.
That often means sites that have poor overall security—and weak password requirements. “The sites that have the most complicated password policies don’t get leaked as often,” says Lorrie Faith Cranor, a computer scientist at Carnegie Mellon University who has studied password creation in her lab for over eight years. “Dragon” might be disproportionately popular because hacked sites are less likely to require users to include, say, a number or special character in their password.
The type of site a password data set comes from can also skew results. WP Engine examined 5 million passwords believed to be associated with Gmail accounts, for example. The company looked at the associated email addresses and tried to estimate the gender and age of the people who created them. For example, “[email protected]” would be assumed to be a male born in 1984. Using this method, the researchers found that the dataset skewed both male, and toward people born in the 1980s. That’s likely because many of the credentials came from eHarmony and an adult content site.
You can imagine how, in a dataset like this, “dragon” theoretically might appear more often, given how relatively popular The Lord of the Rings, Dungeons & Dragons, and *Game of Thrones are among men in their early-to-mid-30s.
Other kinds of password data bias can be more obvious. In 2014 for example, Burnett helped SplashData compile its annual common passwords list. When he first ran the numbers, he noticed that “lonen0” appeared incredibly high on the list, taking the seventh spot. That happened not because tens of thousands of people suddenly thought of the phrase, but because it was the default password for a Belgian company called EASYPAY GROUP, which had suffered a hack. Ten percent of users had simply failed to change the default password.
Another reason that “dragon” appears so popular, along with other passwords like “123456,” is that they’re both incredibly easy to unmask. Companies often “hash” the credentials that they store, so that in the event a hacker does access them, they’re harder to access than they would be if they were just sitting out in plaintext. Hashed data is mathematically obscured to look like random strings of characters that humans can’t parse. Some hashing schemes have weaknesses that allow hackers to crack them, but even if hackers can’t expose every password, they can still run scripts to figure out the hashes for the most common passwords. “They are using computer programs that are using the most popular passwords first,” says Cranor.
Despite potential biases, careful researchers like Cranor and Burnett take time to construct their databases as carefully as possible. At this point, so many websites have been breached that they also have very robust datasets to analyze. Still, Burnett says, figuring out the “most commonly used” passwords across the web probably cannot be called a genuine science, due to biases and lack of controls.
Cranor’s research has shown that people choose passwords like “dragon” for the same reason they use common names, like Michael and Jennifer, or beloved activities, like baseball. “One of the things we’ve seen is that people tend to create passwords about stuff they like,” says Cranor. “‘iloveyou’ is one of the most common passwords, in every language.”
In her research, Cranor also wondered why so many people gravitate specifically toward animals and mythical creatures in creating passwords—particularly “monkey,” which like dragon, always ranks highly. During one study she conducted, Cranor actually asked participants who chose the primate to explain why they picked it.
“Basically people said they like monkeys, monkeys are cute,” says Cranor. “Some people said they had a pet named monkey, they had a friend whose nickname was monkey, it was all very positive.”
It turns out many people have chosen dragon for similar reasons. “I started with ‘dragon’ back in the early 90s, and it morphed over time,” one person who uses that password explained to WIRED. “The inspiration for it was a mixture of having played Dungeons & Dragons for 10 years at the time and having just installed Legend of the Red Dragon.” (They have been granted anonymity for obvious, password-related reasons.)
“Passwords, I was told, were supposed to make it hard for other people to get into your accounts, and dragons are big and scary and less common in real life than, like, bears,” another “dragon” user said. “Admittedly I was mostly using very nerdy forums and games and stuff.”
Sometimes, though, the reason you choose “dragon” as your password is just because you’re young, and dragons are, well, really cool. As one “dragon”-user put it: “I was 13 at the time.”