Each year there are plenty of news stories about “the worst passwords”. Many of them derive from the list published by TeamsID (here, inexplicably puncuated by GIFs of celebrities making faces and gestures), which lists passwords like “123456” — once again ranked number one — and the ever-popular “password” (#2).

Most of them are pretty bad, right? “Donald” rose high on the list for the first time.

Each news story quotes some expert on internet security saying we should all be more careful when choosing our passwords. You risk certain doom, they assert, by choosing an easy-to-guess password. Evil hackers will immediately (probably five minutes ago!) gain access to all your secured data and ruin your lives. Weirdly, each story ends with the suggest to “use a password manager” — conveniently designed and sold by the very same companies that generated these lists in the first place.

My pushback against all this fearmongering is fairly straightforward: Hackers don’t get my passwords by guessing them. They get them by hacking the big companies who store my passwords. In 2013, Yahoo! gave up the names, email addresses, and passwords of 3 billion accounts, and their 2014 data breach affected 500 million accounts — and they didn’t announce it until 2016. In 2018, Marriott announced someone hacked them and got personal details from 500 million accounts — starting as early as 2014. Every eBay account (all 145 million of them) was breached in 2014. Target gave up data of more than 100 million customer accounts in 2013. And so on.

My point here is that it doesn’t matter how bad or good your personal password is. If I use 1234 but my wife uses J!xap(pax{../\374])tryonQ!!iz, both our passwords* are given up in the Target breach. Or the Yahoo! breach. Or the eBay hack. Next year it might be Amazon or Google or iTunes. Obviously if the password is for a sensitive corporate or government account, choose a difficult-to-guess password — NOT your anniversary or your daughter’s middle name, for example. But for my personal accounts, which literally no one is spending any time trying to hack, I could use my own damn name and no one is going to get it by trying to guess it. They’re going to get it because the big companies we trust with our passwords truly aren’t secure at all.

(* These are not our real passwords.)

Thus the worst thing about these “worst password” stories is that they trick people into thinking their information can be secured simply by thinking of more complex passwords.

At least one item in the advice portion of these stories is valid: use a different password for each account. This way, even if a hacker gets your password from some giant company’s data breach, they’ll only have your password for that particular account.

Also, it’s worth remembering that people can scam you without getting your password. Longtime readers will remember my experience in 2014, when someone tried to scam Amazon on my behalf. They did not have my password, but managed to chat with Amazon employees as if they were me, eventually obtaining a large refund. Fortunately, Amazon had in place a policy that protected both themselves and me, and with a few hours of wasted time I was able to set everything straight.