## Findings - The average password ranges from 7-9 characters in length. - The average English word is 5 characters long. - The average person knows between 50,000 to 150,000 words. - 50% chance a user's password will contain one or more vowels. - Women prefer personal names in their passwords, and men prefer hobbies. - Most likely to be used symbols: ~, !, @, #, $, %, &, •, and? - If a number, it's usually a 1 or 2, sequential, and will likely be at the end. - If more than one number it will usually be sequential or personally relevant. - If a capital letter, it's usually the beginning, followed by a vowel. - 66% of people only use 1 - 3 passwords for all online accounts. - One in nine people have a password based on the common Top 500 list. - Western countries use lowercase passwords and Eastern countries prefer digits. ## US/EU/CA Password trend analysis Password Length Distribution based on large corpus of English website dumps: 7=15% 8=27% 9=15% 10=12% 11=4.8% 12=4.9% 13=.6% 14=.3% Character frequency analysis of a large corpus of English texts: etaoinshrdlcumwfgypbvkjxqz Character frequency analysis of a large corpus of English password dumps: aeionrlstmcdyhubkgpjvfwzxq Top Western password masks out of a large corpus of English website dumps ?l?l?l?l?l?l 6-Lowercase ?l?l?l?l?l?l?l 7-Lowercase ?l?l?l?l?l?l?l?l 8-Lowercase ?d?d?d?d?d?d 6-Digits ?l?l?l?l?l?l?l?l?l?l?l?l 12-Lowercase ?l?l?l?l?l?l?l?l?l 9-Lowercase ?l?l?l?l?l?l?l?l?l?l 10-Lowercase ?l?l?l?l?l 5-Lowercase ?l?l?l?l?l?l?d?d?l?l?l?l 6-Lowercase + 2-Digits + 4-Lowercase ?d?d?d?d?d?d?d?d?l?l?l?l 8-Digits + 4-Lowercase ?l?l?l?l?l?d?d 5-Lowercase + 2-Digits ?d?d?d?d?d?d?d?d 8-Digits ?l?l?l?l?l?l?d?d 6-Lowercase + 2-Digits ?l?l?l?l?l?l?l?l?d?d 8-Lowercase + 2-Digits ## CN Password trend analysis Password Length Distribution based on large corpus of Chinese website dumps: 7=21% 8=22% 9=12% 10=12% 11=4.2% 12=.9% 13=.5% 14=.5% Character frequency analysis of a large corpus of Chinese texts: aineohglwuyszxqcdjmbtfrkpv Character frequency analysis of a large corpus of Chinese password dumps: inauhegoyszdjmxwqbctlpfrkv Top Eastern password masks out of a large corpus of Chinese website dumps: ?d?d?d?d?d?d?d?d 8-Digits ?d?d?d?d?d?d 6-Digits ?d?d?d?d?d?d?d 7-Digits ?d?d?d?d?d?d?d?d?d 9-Digits ?d?d?d?d?d?d?d?d?d?d 10-Digits ?l?l?l?l?l?l?l?l 8-Digits ?d?d?d?d?d?d?d?d?d?d?d 11-Digits ?l?l?l?l?l?l 6-Lowercase ?l?l?l?l?l?l?l?l?l 9-Lowercase ?l?l?l?l?l?l?l 7-Lowercase ?l?l?l?d?d?d?d?d?d 3-Lowercase + 6-Digits ?l?l?d?d?d?d?d?d 2-Lowercase + 6-Digits ?l?l?l?l?l?l?l?l?l?l 10-Lowercase ?d?d?d?d?d?d?d?d?d?d?d?d 12-Digits ## 20-60-20 Rule 20-60-20 rule is a way to view the level of difficulty typically demonstrated by a large password dump, having characteristics that generally err on the side of a Gaussian Curve, mirroring the level of effort to recover said password dump. #### 20% of passwords are easily guessed dictionary words or known common passwords. ##### 60% of passwords are moderate to slight variations of the earlier 20%. ###### 20% of passwords are hard, lengthy, complex, or of unique characteristics. ## Examples ![[goodtable.png]] ![[goodtips.png]] *This List of passwords is from the hashcrack v2 book and the List can also be found online at: https://github.com/netmux/HASH-CRACK [[Home]]