Security analyst Bogdan Calin from Acunetix performed a similar analysis on the leaked Hotmail data. He performed an initial analysis and clean up of the data which consisted of 10,028 entries and started a detailed analysis of the remaining 9843 passwords of which 90% were unique.

• 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’. Example : iloveyou
• 291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’. Example: ILoveYou
• 1707 = 19 %; numeric passwords: passwords containing only numbers (’0′ to ‘9′). Example: 123456
• 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-’z’, ‘A’-’Z’ and ‘0′-’9′. Example: Iloveyou12
• 565 = 6 %; mixed alpha + numeric + other characters. Example: 1Love You$%@

The shortest password in the list was made up of one character while the longest used 30 of them. The average length was eight characters with 42% of all users using a password that only consisted of lower case characters from a to z and an additional 19% of all users using a password with numeric values only.The most common used password was 123456 followed by 123456789.

Calin thinks that the passwords have been gathered using various phishing kits. It is also likely that the attack was aimed at the “latino” community which he concluded from the passwords entered by the users. You can find the full report at the Acunetix website.

Verdict: It is interesting that that many users are still using weak passwords for important accounts like web email accounts. But then again, a good password does not help at all if the user enters it in the wrong place for attackers to see.