"One of the most common control mechanisms for authenticating users of computer-based information systems is the use of passwords. However, despite the widespread use of passwords, only little attention has been given to the characteristics of their actual use. This paper addresses the gap in evaluating the characteristics of real-life passwords and presents the results of an empirical study on passwords usage. It investigates the core characteristics of user-generated passwords in a DoD [Department of Defense] environment and associations between those variables."
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/