Leaked Hotmail Password Data Analysis

Martin Brinkmann
Oct 9, 2009
Updated • Dec 10, 2014

Remember back then when AOL decided to provide downloads of an anonymized snapshot of search engine log files? One of the first things that Internet Marketers did was analyze the data to see what users where looking for.

Groups focused on privacy analyzed the data to see if it was possible to identify single users from the data that was offered by AOL.

Security analyst Bogdan Calin from Acunetix performed a similar analysis on the leaked Hotmail data. He performed an initial analysis and clean up of the data which consisted of 10,028 entries and started a detailed analysis of the remaining 9843 passwords of which 90% were unique.

  • 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’. Example : iloveyou
  • 291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’. Example: ILoveYou
  • 1707 = 19 %; numeric passwords: passwords containing only numbers (’0′ to ‘9′). Example: 123456
  • 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-'z’, ‘A’-'Z’ and ‘0′-’9′. Example: Iloveyou12
  • 565 = 6 %; mixed alpha + numeric + other characters. Example: 1Love You$%@

The shortest password in the list was made up of one character while the longest used 30 of them. The average length was eight characters with 42% of all users using a password that only consisted of lower case characters from a to z and an additional 19% of all users using a password with numeric values only.The most common used password was 123456 followed by 123456789.

Calin thinks that the passwords have been gathered using various phishing kits. It is also likely that the attack was aimed at the "latino" community which he concluded from the passwords selected by users. You can find the full report at the Acunetix website.

Verdict: It is interesting that that many users are still using weak passwords for important accounts like web email accounts. But then again, a good password does not help at all if the user enters it in the wrong place for attackers to see.

What puzzles me a bit is that Hotmail does not seem to enforce a certain password length.

Update: If you create a Microsoft Account now, which you need when you want to use Outlook (the new Hotmail more or less), then you have to pick a password with eight characters minimum.


Previous Post: «
Next Post: «


  1. Jojo said on October 9, 2009 at 10:56 am

    This has been posted elsewhere about this story but I will repeat it:

    You can’t draw real, valid assumptions about password strength or makeup from this exposure because these people were dumb or naive enough to fall for the phising scam in the first place! I would expect that many of these guys have machines riddled with spyware and viruses also.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.