[citation][nom]synth0[/nom]Interesting... how does that company "SplashData" even get *all the passwords* to be ranked in the first place?[/citation]
Two ways.
1) Some major security breaches at stupid sites have resulted in entire password databases made public. You can simply parse them and sort according to frequency.
2) The smart sites store password hashes, not the passwords themselves. In this case, you simply run a bunch of dictionary words, common phrases, and common obfuscations (adding a digit, capitalizing certain letters, etc) through the hash algorithm. Then you compare the resulting hashes to those in the password hash database. If there's a match, you know which password resulted in that hash.
The really smart sites also salt their passwords (add extra data to the password before hashing), so you can't simply run passwords through commonly-used hashing algorithm to get your hashes. You have to also know the salt used by the site.