When I read stories about the “most common passwords” or whatever, I always wonder how they got this information in the first place. Usually the pieces are laughers or a warning to people to have more “secure” passwords. The latest Yahoo! Mail breach suggests that the commonest password “base words” are things like “password” and “qwerty.”
But fancier passwords are actually not much better than non-fancy passwords. “checkmymail” is as safe as “Ch3cK!Mym41L” if they’re going to be stolen anyways. The most likely threat of breach isn’t from someone guessing your password — it’s from you writing it down, saving it in your browser, forgetting to logout on a public computer, or having someone steal your password wholesale from the company itself. If banks, email companies, and the federal government can’t keep information from outing, what’s the point in having a super-secure password?
When we think about risk, it usually turns out that the biggest risks are hidden or impossible to assess. You can take a lot of precautions to protect your password (Slate’s Farhad Manjoo has tips here), but in the long run, that risk is tiny compared to the risk of just having your password stolen one day. It’s like the weird-but-true factoid that you have a higher chance of dying by asteroid than by lightning. We can take precautions to protect us from the small risks, but the big risks are often out of our control; you can’t get Yahoo!Mail (for which you pay nothing) to be more secure with your data.