I'd suggest that the dip in 7 is natural, but the peak at 8 is the interesting part. I'd argue the 8 peak is due to some of some of their websites requiring a minimum of 8 characters. It's possible that such password checks are inconsistent among their sites/domains, resulting in some passwords being less (that's why we do see some password of shorter length than 8). If the 8 was around 6,000 we'd see a natural falloff curve as one would expect.
Yeah, I think you're right about it relating to reused passwords. I've also seen a lot of sites having passwords with a minimum length of 6 so the shape would make sense if there's an exponential fall of from 6 added to a fall of from 8.
It's supposed to be a skewed normal curve, right? So with individual site requirements boosting the 6 AND 8 minimum character lengths it would all make sense, since that's where we get 2 spikes. Remove those spikes and we get the nice normal chart as expected.
