Here are some of my observations and questions about passwords -- based on knowing nothing about particular users or their habits -- that might be used in a probability-based program.
1. If the minimum password size is X, most passwords will be from X to X+3 characters long.
2. Password crackers should spend less time offering up letters q, x, or z.
3. Most users place required capital letters in the first position or near the beginning.
4. When numbers are required, 1, 2, and maybe 9 are the most common, and they are usually positioned at the end. Common substitutions -- the number 1 for lowercase l, 5 for s -- should be taken into account.
5. When symbols are required, !, @, #, and $ seem most common, with ! most likely taking the place of lowercase l, @ substituting for a, and $ taking the place of s.
6. A frequency analysis should be conducted, using dictionary words as the base, on the most commonly used words in passwords. For example, even in the smaller subset of animal words, the tiger is used more often than genet, even though the latter isn’t any more complex to spell.
Can you think of more password observations? There are at least a few papers on the subject, but I haven’t seen any tools that take this type of analysis into consideration. It's too bad -- maybe more security mavens need to do their deep thinking in the shower.