14 DAY TRIAL // An analysis of the around 10,000 Windows Live Hotmail passwords that have been exposed in the wild has concluded that the majority of users still employ weak passwords. The average password length is eight characters, but only 6% of them contain both alpha-numeric and special characters.
A few days ago, Microsoft confirmed that thousands of Hotmail account credentials were posted on Pastebin, an online text sharing service. The leak is believed to have originated from a phishing scheme, where users were tricked into inputting their login information on a fake login page.
Even if the list was subsequently removed by Pastebin administrators, Bogdan Calin, chief technology officer at web application security company Acunetix, had time to grab it and perform an analysis of the passwords. He agreed to the phishing theory, but said that it was likely a poorly crafted one.
"I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong," he wrote on the Acunetix blog. Additionally, given that many of the passwords were actually common Spanish names such as Alberto, Alejandra, Alejandro, Biatriz or Roberto, he concludes that the phishing scheme probably targeted the Latino community.
The list contained 9,843 valid passwords, out of which only 90% (8,931) were unique. The most common password, which was found 64 times was the old and highly insecure "123456." A more extended version, "123456789" was used in 18 instances. The historically popular password "iloveyou" was counted seven times, while its Spanish correspondent "tequiero," nine.
When it comes down to password length, most of them (99%) were over six characters long, with the average length being eight. The longest password, "lafaroleratropezoooooooooooooo" had 30 characters, but it would be reasonable to assume that it was generated by a user frustrated that their "lafaroleratropezo" password was not working.
An analysis of the characters used in passwords showed that 42% of them contained only lower-case letters from "a" to "z," while another 3% had mixed case. Additionally, 19% of passwords were purely numerical. Thirty percent combined both alpha and numerical characters in both letters, but only 6% also featured special characters such as #@^&, something which all security professionals recommend.
The findings of the Acunetix CTO are consistent with password trends uncovered by other recent studies or surveys. Back in September, we reported that similar results were obtained by a white hacker who analyzed a list of over 850,000 passwords used on a large Web portal.