I thought I would start sharing some of the statistics I have gathered over the last five years researching passwords. One area I found interesting was the use of character sets. I have long said that password length is the single most important factor in password security, but character diversity certainly does play an important role.

Nevertheless, too many organizations put too much of an emphasis on character diversity but still allow people to select short passwords. It’s important to note that password length can compensate for character diversity but character diversity cannot compensate for password length.

The only thing I don’t like about enforcing policies that require a certain number of character sets is that people tend to accommodate those policies in a predictable manner. Here I will cover some of the research I did analyzing 3,585,673 actual user passwords.

The first statistic is how many character sets people actually use in their passwords.

Looking at this chart you see that 68% of the passwords use only one character set and that 95% of the passwords use one or two character sets, yet only .05% of the passwords use four character sets.

So the next step was to break this down to see which character sets people were using for each number of character sets they used. For example, the chart below shows the breakdown of character types for passwords that consist of one character set.

It isn’t too surprising that 83% of single character set passwords are all lowercase. What is concerning, however, is that 15% of these passwords consist of all numbers.

Now look at the breakdown for passwords that contain two character sets:

What we see here is that when users add a second character set, they are most likely to add numbers. In fact, almost 44% of two character set passwords contain numbers compared to just 7% with uppercase. Note that still only 0.4% of the passwords use symbols.

Now if we consider three character sets, we have this:

At this point, we see that most passwords with three character sets are made up of uppercase and lowercase letters and numbers. Still only 1% of these passwords make use of symbols.

When we require 4 character sets, we obviously get an even split of all 4 character groups.

Now if we put all these numbers together, including the totals for all passwords, we get this chart:

This chart might look a little confusing at first, but there are some interesting facts we can learn from this:

• Most passwords are made up of lowercase letters
• When 2 character sets are required, the usage of numbers goes up significantly, while the use of uppercase letters only increases slightly
• Only a smaller percentage of passwords use uppercase letters
• An even smaller percentage of passwords use symbols

Related posts

• No related posts.