In my last post I mentioned that few passwords contain uppercase letters. I also did some further study to see exactly how people use uppercase letters in passwords.

If you look at the character distribution chart below, uppercase letters make up a small part of the total characters used in the passwords I studied as shown in the square(click on chart for larger view):


Now below is a zoomed in and rotated view of that section of the above chart (again click for larger version):


The interesting thing about this chart is that not only are uppercase letters relatively rare in passwords, but the majority of them appear in the first few character positions. In fact, 36% of all uppercase letters appear as the first character and 68% appear in the first three letters of a password. With that information you could certainly optimize a brute force attack that might save billions of permutations by trying the most likely character positions first.

So the lesson here is not only do you need to use more uppercase letters, you need to use them throughout your password, not just to capitalize the first letter in your password.





Yubikey Token        LastPass password manager