Each year since 2011, the security firm SplashData has released a list of the most commonly used passwords, based on caches of leaked account credentials. The annual list, intended as a reminder of humanity’s poor password practices, always includes predictable entries like “abc123,” “123456,” and “letmein.” But one entry, finishing in the top 20 every year, has stood out since the beginning: "dragon."

But why? Is it because of the popularity of the television adaption of Game of Thrones, which first premiered the same year as the popular passwords list? Is it because so many Dungeons & Dragons fans got their accounts pwned? Well, maybe, in part. But the most convincing explanation is simpler than you might think.

Chasing the Dragon

The "dragon" phenomenon does not appear to be a quirk of SplashData's password analysis methodology. The creature took the 10th spot last year on another top passwords list, this time created by WordPress platform WP Engine, using data compiled by security consultant Mark Burnett. Dragon doesn't show up on a 2016 list created by Keeper Security, but that one took into consideration accounts likely created by bots. And the top 100 passwords have stayed relatively stable through the years, largely ruling out a Game of Thrones spike.

"I believe in my book I even listed hundreds of passwords that contain the word 'dragon,'" says Burnett, whose Perfect Passwords came out in 2005. "People often base their passwords on something that's important to them; apparently dragons fall into that category. And between D&D, Skyrim, and Game of Thrones, dragons have played a big part in our culture."

'One of the things we've seen is that people tend to create passwords about stuff they like.' Lorrie Cranor, Carnegie Mellon University

The way researchers examine password data in the first place may also contribute to dragon's popularity. While tens of thousands of people likely really use it, the kind of password data that researchers have access to comes with some inherent biases. Academics can't call up a company and ask it to hand over customer passwords, so they instead largely rely on credentials that get hacked and leaked to the public.

That often means sites that have poor overall security—and weak password requirements. "The sites that have the most complicated password policies don't get leaked as often," says Lorrie Faith Cranor, a computer scientist at Carnegie Mellon University who has studied password creation in her lab for over eight years. "Dragon" might be disproportionately popular because hacked sites are less likely to require users to include, say, a number or special character in their password.

The type of site a password data set comes from can also skew results. WP Engine examined 5 million passwords believed to be associated with Gmail accounts, for example. The company looked at the associated email addresses and tried to estimate the gender and age of the people who created them. For example, "JohnDoe84@gmail.com" would be assumed to be a male born in 1984. Using this method, the researchers found that the dataset skewed both male, and toward people born in the 1980s. That's likely because many of the credentials came from eHarmony and an adult content site.

You can imagine how, in a dataset like this, "dragon" theoretically might appear more often, given how relatively popular The Lord of the Rings, Dungeons & Dragons, and Game of Thrones are among men in their early-to-mid-30s.

Other kinds of password data bias can be more obvious. In 2014 for example, Burnett helped SplashData compile its annual common passwords list. When he first ran the numbers, he noticed that "lonen0" appeared incredibly high on the list, taking the seventh spot. That happened not because tens of thousands of people suddenly thought of the phrase, but because it was the default password for a Belgian company called EASYPAY GROUP, which had suffered a hack. Ten percent of users had simply failed to change the default password.

Cracking Up

Another reason that "dragon" appears so popular, along with other passwords like "123456," is that they're both incredibly easy to unmask. Companies often "hash" the credentials that they store, so in the event a hacker does obtain them, they're harder to access than they would be if they were just sitting out in plaintext. Hashed data is mathematically obscured to look like random strings of characters that humans can't parse. Some hashing schemes have weaknesses that allow hackers to crack them, but even if hackers can't expose every password, they can still run scripts to figure out the hashes for the most common ones. "They are using computer programs that are using the most popular passwords first," says Cranor.

People choose passwords like "dragon" for the same reason they use common names.

Despite potential biases, researchers like Cranor and Burnett take time to construct their databases as carefully as possible. At this point, so many websites have been breached that they have very robust datasets to analyze. Still, Burnett says, figuring out the "most commonly used" passwords across the web probably cannot be called a genuine science, due to biases and lack of controls.