Each year since 2011, the security firm SplashData has released a list[1] of the most commonly used passwords, based on caches of leaked account credentials. The annual list, intended as a reminder of humanity’s poor password practices, always includes predictable entries like “abc123,” “123456,” and “letmein.” But one entry, finishing in the top 20 every year, has stood out since the beginning: "dragon."
But why? Is it because of the popularity of the television adaption of Game of Thrones, which first premiered the same year as the popular passwords list? Is it because so many Dungeons & Dragons fans got their accounts pwned? Well, maybe, in part. But the most convincing explanation is simpler than you might think.
Chasing the Dragon
The "dragon" phenomenon does not appear to be a quirk of SplashData's password analysis methodology. The creature took the 10th spot last year on another top passwords list[2], this time created by WordPress platform WP Engine, using data compiled by security consultant Mark Burnett. Dragon doesn't show up on a 2016 list created by Keeper Security[3], but that one took into consideration accounts likely created by bots. And the top 100 passwords have stayed relatively stable through the years, largely ruling out a Game of Thrones spike.
"I believe in my book I even listed hundreds of passwords that contain the word 'dragon,'" says Burnett, whose Perfect Passwords came out in 2005. "People often base their passwords on something that's important to them; apparently dragons fall into that category. And between D&D, Skyrim, and Game of Thrones, dragons have played a big part in our culture."
'One of the things we've seen is