Statistics from 10,000 leaked Hotmail passwords
An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.
My impression is that these passwords have been gathered using phishing kits. Even more, the phishing kit used most probably was badly designed, since it was one that didn’t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong.
Bellow are the statistics:
- The list initially contained 10,028 entries.
- After I’ve cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
- There are 8931 (90%) unique passwords in the list.
- The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
- The shortest password was 1 char long : )
Top 20 most common passwords:
- 123456 - 64
- 123456789 - 18
- alejandra - 11
- 111111 - 10
- alberto - 9
- tequiero - 9
- alejandro - 9
- 12345678 - 9
- 1234567 - 8
- estrella - 7
- iloveyou - 7
- daniel - 7
- 000000 - 7
- roberto - 7
- 654321 - 6
- bonita - 6
- sebastian - 6
- beatriz - 6
- mariposa - 5
- america - 5
Based on these passwords I think the phishing kit was targeted towards the Latino community.
Password length distribution:
- 1 chars – 2 – 0 %
- 2 chars – 4 – 0 %
- 3 chars – 4 – 0 %
- 4 chars – 31 – 0 %
- 5 chars – 49 – 1 %
- 6 chars – 1946 – 22 %
- 7 chars – 1254 – 14 %
- 8 chars – 1838 – 21 %
- 9 chars – 1091 – 12 %
- 10 chars – 772 – 9 %
- 11 chars – 527 – 6 %
- 12 chars – 431 – 5 %
- 13 chars – 290 – 3 %
- 14 chars – 219 – 2 %
- 15 chars – 157 – 2 %
- 16 chars – 190 – 2 %
- 17 chars – 56 – 1 %
- 18 chars – 17 – 0 %
- 19 chars – 7 – 0 %
- 20 chars – 14 – 0 %
- 21 chars – 10 – 0 %
- 22 chars – 8 – 0 %
- 23 chars – 3 – 0 %
- 24 chars – 3 – 0 %
- 25 chars – 3 – 0 %
- 26 chars – 0 – 0 %
- 27 chars – 3 – 0 %
- 28 chars – 0 – 0 %
- 29 chars – 1 – 0 %
- 30 chars – 1 – 0 %
As you can see from the list above, most of the passwords are between 6 and 9 characters long. Average password length is 8 characters.
What kind of passwords were in the list? :
- 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
Example : iloveyou - 291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
Example: ILoveYou - 1707 = 19 %; numeric passwords: passwords containing only numbers (’0′ to ’9′)
Example: 123456 - 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-'z’, ‘A’-'Z’ and ’0′-’9′.
Example: Iloveyou12 - 565 = 6 %; mixed alpha + numeric + other characters.
Example: 1Love You$%@
As we can see and conclude from the list above, a big majority of users still use very poor passwords: 42 % (lower alpha only) and 19 % (numeric only), while only 6 % from all the passwords had passwords which use a selection of alpha numeric and other characters.
I also heard that 12345 is the most common password in whole world.. So if anyone is using this password is suggested to change their password…
[...] informação foi revelada pelo investigador de segurança Bogdan Calion no seu blogue . Calin observou as 10 mil contas comprometidas pelos hackers e descobriu que das 9843 passwords [...]
[...] onderzoeker ontdekte dat ‘123456′ het meest voorkomende wachtwoord is en wachtwoorden het vaakst [...]
[...] Acunetix Web Application Security Blog » Statistics from 10000 … [...]
[...] revista ‘Wired’ se ha hecho eco del análisis de la web de seguridad Acunetix, que archivó las contraseñas antes de que fueran eliminadas de la Red y ha publicado los patrones [...]
[...] – Nei giorni scorsi si è molto discusso in Rete sulle 10mila password di Hotmail «rubate» e rese pubbliche e si è attirata l’opinione pubblica sulla medesima [...]
[...] Ein solcher Fund kommt den Entwicklern sicherlich nur selten unter die Augen. Doch dabei haben sie wirklich Erschreckendes zutage gefördert. Das häufigste Passwort der betroffenen Hotmail-Nutzer lautete [...]
[...] UPDATE : Oct 09. In the light of the recent Hotmail phishing incident one thing it did allow was an analysis of passwords. Visit the Acunetix Web Security site for a list of the Top 20 most popular passwords and a breakdown of the pa… [...]
[...] that had been lifted from Windows Live Hotmail accounts. An online internet security company analyzed these passwords and found some very distressing [...]
[...] – 42 % (lower alpha only) – 19 % (numeric only) – 6 % from all the passwords had passwords which use a selection of alpha numeric and other characters. Statistics from 10,000 leaked Hotmail passwords [...]
[...] http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/ [...]
This was the start for our corporate blog. You can view the materials at: http://ptresearch.blogspot.com/2009/11/password-analysis-for-windows-live.html
[...] Source Tags: hotmail, leaked, passwords This entry was posted on Tuesday, October 13th, 2009 at 10:48 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. blog comments powered by Disqus var disqus_url = 'http://www.expert-pc.co.cc/?p=91 '; var disqus_container_id = 'disqus_thread'; var facebookXdReceiverPath = 'http://expert-pc.co.cc/wp-content/plugins/disqus-comment-system/xd_receiver.htm'; var DsqLocal = { 'trackbacks': [ ], 'trackback_url': 'http://expert-pc.co.cc/wp-trackback.php?p=91' }; [...]
[...] cuentas de Hotmail por una persona anónima. Sobre dicha lista de contraseñas, se ha realizado un estudio estadístico, y podemos resaltar las siguientes [...]
[...] que no está de más que le eches un vistazo a ESTE RANKING y si por casualidad eres uno de los que usa alguna de ellas ya sabes lo que tienes que hacer. Por [...]
I think there are certain Passwords which are very common and are used by everywhere. So we should use the strong passwords.
[...] password por si acaso, ya que despues de analizar la lista y sacar algunas estadisticas (sacadas de Acunetix), abajo el top 20 de passwords más usados. El numero uno de la lista es el prerferido de muchos [...]
[...] beaucoup d’internautes. Bogdan Calin, chercheur en sécurité à Acunetix, a publié sur son blog la liste des 20 mots de passe les plus courants parmi les comptes hackés la semaine dernière. Les deux [...]
[...] Firma Acunetix hat sich dem Thema Passwortschutz gewidmet und eine Liste veröffentlicht. In dieser Liste kann [...]
[...] comme les comptes de courriel sont les plus utilisés au monde, je vous ai retracé une excellente analyse sur plus de 10 000 mots de passe utilisés sur Hotmail qui ont été dévoilés sur le Web par une [...]
[...] não ser uma senha muito segura, mas é uma das mais populares no Windows Live Hotmail. Pelo menos é o que diz Bogdan Calin, um pesquisador de segurança que teve acesso à lista com 10 mil senhas roubadas do Windows Live [...]
oops.123456…
someone tell us to change password for a period.i use long but not so memorable password that i always forget my password. my friend suggest me to use the software called password genius. i tried, and find it very amazing that it only took a few minutes to find out the password. I highly recommend it to you. here it is:
http://www.password-genius.com/how-to/how-to-find-out-my-windows-live-messenger-password-msn-password.html
[...] potrete vedere di persona le statistiche collegandovi al sito Acunetix. VN:F [1.7.9_1023]please wait…Rating: 0.0/10 (0 votes cast)VN:F [1.7.9_1023]Rating: 0 (from 0 [...]
[...] Acunetix Web Application Security Blog » Statistics from 10000 … [...]
[...] “123456” also topped a similar chart based on statistical analysis of 10,000 Hotmail passwords published in October, 2009 by [...]
[...] noe vet vi etter at 10.000 passord kom på avveie fra eposttjenesten Hotmail. Bogdan Calin, blogger stort sett om sikkerhet, kunne fortelle at ved det siste store phishing tilfellet av [...]
[...] item 3: http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/ An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a [...]
My msn and facebook have been hacked for one week ago. And i cant find any way to solve it. Can someone please help me? i’m student and i need my email so much. If there is someone can help me then please email me. Thanks
[...] http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/ [...]
[...] 10000 mots de passe Hotmail et près de 45000 mots de passe MySpace sont retrouvés publiés dans la [...]
[...] сочинением сложных паролей. Об этом свидетельствует анализ украденных паролей Hotmail, проведенный специалистом по [...]
[...] 10000 mots de passe Hotmail et près de 45000 mots de passe MySpace sont retrouvés publiés dans la [...]
[...] Live Hotmail Passwörter in eine öffentlich zugängliche Webseite gepostet (“Statistics from 10,000 leaked Hotmail passwords“). Niemand weiß, wie der anonyme User an die Passwörter kam. Umso erschreckender [...]
[...] potrete vedere di persona le statistiche collegandovi al sito Acunetix. amm_ad_siteid = 1888; amm_ad_zone = 17844; amm_ad_width = 336; amm_ad_height = 280; Ti [...]
[...] in den gehackten Hotmail-Accounts findet sich auf der Homepage des Sicherheitsunternehmens Acunetix http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/ . [...]
[...] but meanwhile, please don't use your dog's name, boyfriend's birthday or favorite football team. A jaw-dropping analysis of 10,000 stolen passwords last year showed that the top 20 most common ones included 123456, 123456789, 111111 and america. [...]
12345? That’s the stupidest combination I’ve heard of in my life! That’s the kind of thing an idiot would have on his luggage!