The most common password is "123456", surely this can't be true?

My password security comes down to this basic rule:

If mission critical service (eg: banking), then unique password jotted down somewhere.

Else, then same password I use everywhere.

I find the value of passwords are two extremes (very valuable or very whatever), and password managers (other than ones built into browsers and stored locally) are an unnecessary complexity in my already busy life.

From what I can tell, most apps I use now at least enforce some kind of minimum password requirements e.g must be so many characters long, have special characters etc.

I guess the data used for this comes from security breaches, so maybe there's a bias in the data towards less secure apps that don't enforce strong passwords.

I struggle to understand why companies force employees to change their password every few months.

There’s no evidence that my current password was compromised…so let’s change it to something else.

I mean… I use 123321 in a number of places for “pointless” accounts that realistically have 0 blowback if ever compromised. In that sense, these short generic passwords being popular makes sense. If I have to take 90 seconds to make a new account for downloading ROM’s, meh.

Now anything else that’s a bit more important gets a unique random password in the realm of 20 - 50 characters based on the service and what they allow (it’s sad how many still exist which force a max of 8 characters or don’t allow symbols).