Investigating the Distribution of Password Choices
The distribution of passwords chosen by users has implications for site security, password-handling algorithms and even how users are permitted to select passwords. Using password lists from four different web sites, the authors investigate if Zipf's law is a good description of the frequency with which passwords are chosen. They use a number of standard statistics, which measure the security of password distributions, to see if modelling the data using a simple distribution is effective. They then consider how much the password distributions from each site have in common, using password cracking as a metric. This shows that these distributions have enough high-frequency passwords in common to provide effective speed-ups for cracking passwords.