
So I do think these meters could help, by encouraging stronger password decisions through direct feedback. For the rest, I'd wager a large percentage are still predictable enough to be susceptible to a modest online attack.

These are only the really easy-to-guess passwords. The methodology and bias is an important qualifier - for example, since these passwords mostly come from cracked hashes, the list is biased towards crackable passwords to begin with. Burnett ran a more recent study last year, looking at 6 million passwords, and found an insane 99.8% occur in the top 10,000 list, with 91% in the top 1,000. These passwords include some real stumpers: password1, compaq, 7777777, merlin, rosebud. According to Mark Burnett's 2006 book, Perfect Passwords: Selection, Protection, Authentication, which counted frequencies from a few million passwords over a variety of leaks, one in nine people had a password in this top 500 list. I'm convinced these meters have the potential to help. Preventing offline cracking by selecting a suitably slow hash function with user-unique salts.

