Is it possible that the breached Sony passwords he was analyzing may have been cracked with dictionary attacks? Maybe the reason only 1% of the passwords had a non-alphanumeric character was that the crackers mostly didn't crack the passwords that had any non-alphanumeric characters.