Except ...
A good password has a very high chance of being unique, because a good password is selected randomly from a very large space of possible passwords. If you pick your password at random from a trillion possibilities*, then the odds that a particular person who did the same also picked your password are one in a trillion, the odds that one of a million other such people picked your password are about one in a million, as are the odds that any particular two people picked the same password. If a million people used the same scheme as you did, there's a good chance that some pair of them accidentally share a password, but almost certainly almost all of those passwords are unique.
If you count up the most popular passwords in this idealized scenario of everyone picking a random password out of a trillion possibilities, you'll get a fairly tedious list:
- 1: some string of random gibberish, shared by two people
- 2 - 999,999: Other strings of random gibberish, 999,998 in all
Now suppose that seven people didn't get the memo. Four of them choose 123456 and three of them choose password. The list now looks like
- 1: 123456, shared by four people
- 2: password, shared by three people
- 3: some string of random gibberish, shared by two people
- 4-999,994: Other strings of random gibberish, 999,991 in all
Those seven people are pretty likely to have their passwords hacked, but overall password hygiene is still quite good -- 99.9993% of people picked a good password. It's certainly better than if 499,999 people picked 123456 and 499,998 picked password, two happened to pick the same strong password and the other person picked a different strong password, even though the resulting rankings are the same as above.
Likewise, if you see a list of 20 worst passwords taken from 5 million leaked passwords, that could mean anything from a few hundred people having picked bad passwords to everyone having done so. It would be more interesting to report how many people picked popular passwords as opposed to unique ones, but that doesn't seem to make its way into the "wow, everyone's still picking bad passwords" stories.
From what I was able to dig up, that portion is probably around 10%. Not great, but not horrible, and probably less than it was ten years ago. But as long as some people are picking bad passwords, the lists will stay around and the headlines will be the same, regardless of whether most people are doing a better job.
(I would have provided a link for that 10%, but the site I found it on had a bunch of broken links and didn't seem to have a nice tabular summary of bad passwords vs other passwords from year to year, so I didn't bother)
*A password space of a trillion possibilities is actually pretty small. Cracking passwords is roughly the same problem as the hash-based proof-of-work that cyrptocurrencies use. Bitcoin is currently doing around 100 million trillion hashes per second, or a trillion trillion hashes every two or three hours. The Bitcoin network isn't trying to break your password, but it'll do for estimating purposes. If you have around 100 bits of entropy, for example if you choose a random sequence of fifteen capital and lowercase letters, digits and 30 special characters, it would take a password-cracking network comparable to the Bitcoin network around 400 years to guess your password. That's probably good enough. By that time, password cracking will probably have advanced far beyond where we are and, who knows, maybe we'll have stopped using passwords by then.
*A password space of a trillion possibilities is actually pretty small. Cracking passwords is roughly the same problem as the hash-based proof-of-work that cyrptocurrencies use. Bitcoin is currently doing around 100 million trillion hashes per second, or a trillion trillion hashes every two or three hours. The Bitcoin network isn't trying to break your password, but it'll do for estimating purposes. If you have around 100 bits of entropy, for example if you choose a random sequence of fifteen capital and lowercase letters, digits and 30 special characters, it would take a password-cracking network comparable to the Bitcoin network around 400 years to guess your password. That's probably good enough. By that time, password cracking will probably have advanced far beyond where we are and, who knows, maybe we'll have stopped using passwords by then.