CynoSure Prime, a "password research collective", has reversed the hashes of nearly 320 million hashed passwords provided by security researcher Troy Hunt through the Pwned Passwords searchable online database.

Their effort, pulled off with the help of two other researchers, revealed many things:

Interesting statistics regarding these real world passwords exposed in data breaches,

The fact that this database also contains some 2.5 million email addresses and 230,000 email/password combinations (Hunt intends to purge that data from the database), and

Some bugs in the Hashcat password recovery tool.

"The longest password we found was 400 characters, while the shortest was only 3 characters long. About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less," the collective shared.

"Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters."