Leaked Hotmail Password Data Analysis - gHacks Tech News

Leaked Hotmail Password Data Analysis

Remember back then when AOL decided to provide downloads of an anonymized snapshot of search engine log files? One of the first things that Internet Marketers did was analyze the data to see what users where looking for.

Groups focused on privacy analyzed the data to see if it was possible to identify single users from the data that was offered by AOL.

Security analyst Bogdan Calin from Acunetix performed a similar analysis on the leaked Hotmail data. He performed an initial analysis and clean up of the data which consisted of 10,028 entries and started a detailed analysis of the remaining 9843 passwords of which 90% were unique.

  • 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’. Example : iloveyou
  • 291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’. Example: ILoveYou
  • 1707 = 19 %; numeric passwords: passwords containing only numbers (’0′ to ‘9′). Example: 123456
  • 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-'z’, ‘A’-'Z’ and ‘0′-’9′. Example: Iloveyou12
  • 565 = 6 %; mixed alpha + numeric + other characters. Example: 1Love You$%@

The shortest password in the list was made up of one character while the longest used 30 of them. The average length was eight characters with 42% of all users using a password that only consisted of lower case characters from a to z and an additional 19% of all users using a password with numeric values only.The most common used password was 123456 followed by 123456789.

Calin thinks that the passwords have been gathered using various phishing kits. It is also likely that the attack was aimed at the "latino" community which he concluded from the passwords selected by users. You can find the full report at the Acunetix website.

Verdict: It is interesting that that many users are still using weak passwords for important accounts like web email accounts. But then again, a good password does not help at all if the user enters it in the wrong place for attackers to see.

What puzzles me a bit is that Hotmail does not seem to enforce a certain password length.

Update: If you create a Microsoft Account now, which you need when you want to use Outlook (the new Hotmail more or less), then you have to pick a password with eight characters minimum.

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Jojo said on October 9, 2009 at 10:56 am
    Reply

    This has been posted elsewhere about this story but I will repeat it:

    You can’t draw real, valid assumptions about password strength or makeup from this exposure because these people were dumb or naive enough to fall for the phising scam in the first place! I would expect that many of these guys have machines riddled with spyware and viruses also.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.