Passwords remain the most widely used form of user authentication, despite
advancements in other methods. However, their limitations, such as
susceptibility to attacks, especially weak passwords defined by human users,
are well-documented. The existence of weak human-defined passwords has led to
repeated password leaks from websites, many of which are of large scale. While
such password leaks are unfortunate security incidents, they provide security
researchers and practitioners with good opportunities to learn valuable
insights from such leaked passwords, in order to identify ways to improve
password policies and other security controls on passwords. Researchers have
proposed different data visualisation techniques to help analyse leaked
passwords. However, many approaches rely solely on frequency analysis, with
limited exploration of distance-based graphs. This paper reports PassViz, a
novel method that combines the edit distance with the t-SNE (t-distributed
stochastic neighbour embedding) dimensionality reduction algorithm for
visualising and analysing leaked passwords in a 2-D space. We implemented
PassViz as an easy-to-use command-line tool for visualising large-scale
password databases, and also as a graphical user interface (GUI) to support
interactive visual analytics of small password databases. Using the
"000webhost" leaked database as an example, we show how PassViz can be used to
visually analyse different aspects of leaked passwords and to facilitate the
discovery of previously unknown password patterns. Overall, our approach
empowers researchers and practitioners to gain valuable insights and improve
password security through effective data visualisation and analysis