What companies are referring to? was under the impression that when people generate list of common passwords it's based on the results of people cracking leaked encrypted password lists (or using dictionaries created from previously cracked lists). I could be wrong, but that's what I always assumed.
