Mark Burnett's extensive password collection (which he acknowledges is skewed, because it's largely based on cracked passwords, he only harvests passwords between 3 and 30 chars, etc.). Here's how some of his stats shake out:
* Although my list contains about 6 million username/password combos, the list only contains about 1,300,000 unique passwords.
* Of those, approximately 300,000 of those passwords are used by more than one person; about 1,000,000 only appear once (and a good portion of those are obviously generated by a computer).
* The list of the top 20 passwords rarely changes and 1 out of every 50 people uses one of these passwords.
So it's conceivable that 6M unique passwords could cover a very significant portion of a 120M user namespace.
Curious why some of the hashes have been obscured with 00000 but not all. It means more than one possible password could generate the remaining characters, but what does that help or protect?