An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.
My impression is that these passwords have been gathered using phishing kits. Even more, the phishing kit used most probably was badly designed, since it was one that didn't further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong.
Bellow are the statistics:
- The list initially contained 10,028 entries.
- After I've cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
- There are 8931 (90%) unique passwords in the list.
- The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
- The shortest password was 1 char long : )
Top 20 most common passwords:
- 123456 - 64
- 123456789 - 18
- alejandra - 11
- 111111 - 10
- alberto - 9
- tequiero - 9
- alejandro - 9
- 12345678 - 9
- 1234567 - 8
- estrella - 7
- iloveyou - 7
- daniel - 7
- 000000 - 7
- roberto - 7
- 654321 - 6
- bonita - 6
- sebastian - 6
- beatriz - 6
- mariposa - 5
- america - 5
Based on these passwords I think the phishing kit was targeted towards the Latino community.
Password length distribution:
- 1 chars - 2 - 0 %
- 2 chars - 4 - 0 %
- 3 chars - 4 - 0 %
- 4 chars - 31 - 0 %
- 5 chars - 49 - 1 %
- 6 chars - 1946 - 22 %
- 7 chars - 1254 - 14 %
- 8 chars - 1838 - 21 %
- 9 chars - 1091 - 12 %
- 10 chars - 772 - 9 %
- 11 chars - 527 - 6 %
- 12 chars - 431 - 5 %
- 13 chars - 290 - 3 %
- 14 chars - 219 - 2 %
- 15 chars - 157 - 2 %
- 16 chars - 190 - 2 %
- 17 chars - 56 - 1 %
- 18 chars - 17 - 0 %
- 19 chars - 7 - 0 %
- 20 chars - 14 - 0 %
- 21 chars - 10 - 0 %
- 22 chars - 8 - 0 %
- 23 chars - 3 - 0 %
- 24 chars - 3 - 0 %
- 25 chars - 3 - 0 %
- 26 chars - 0 - 0 %
- 27 chars - 3 - 0 %
- 28 chars - 0 - 0 %
- 29 chars - 1 - 0 %
- 30 chars - 1 - 0 %
As you can see from the list above, most of the passwords are between 6 and 9 characters long. Average password length is 8 characters.
What kind of passwords were in the list? :
- 3,713 = 42 %; lower alpha passwords : passwords containing only characters from 'a' to 'z'.
Example : iloveyou - 291 = 3 %; mixed case alpha passwords : passwords containing characters from 'a' to 'z' and from 'A' to 'Z'.
Example: ILoveYou - 1707 = 19 %; numeric passwords: passwords containing only numbers ('0' to '9')
Example: 123456 - 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from 'a'-'z', 'A'-'Z' and '0'-'9'.
Example: Iloveyou12 - 565 = 6 %; mixed alpha + numeric + other characters.
Example: 1Love You$%@
As we can see and conclude from the list above, a big majority of users still use very poor passwords: 42 % (lower alpha only) and 19 % (numeric only), while only 6 % from all the passwords had passwords which use a selection of alpha numeric and other characters.
damn…thats why I stick with G G G Mail…
Pingback: Thousands of Hotmail passwords leaked online | Shakeel Tariq's Blog
Pingback: Most Common Hotmail Password Revealed! | Left to chance
Pingback: Weak passwords dominate statistics for Hotmail's phishing scheme leak | Zero Day | ZDNet.com
Pingback: Twitted by pemuller
Pingback: Hotmail “Hacking” Mini-HOWTO: 123456 eingeben « AX11s Blinkenblog
Amazingly, American Express still limits its online account users to maximum 8 (yes–EIGHT!) purely alphanumeric passwords; even dashes and underrscores are verboten. I complained to their online tech support reps a few times directly, but to no avail. They should be scolded publicly for these unbelievably stupid and dangerous limitations.
–Tony G
Pingback: Twitted by Dr4g
Pingback: Twitted by gilrepaux
wells fargo does the same thing but they found a way to take it one step further. Both user names and passwords are NOT case sensitive.
“As we can see and conclude from the list above, a big majority of internet users still use very poor passwords: 42 % (lower alpha only) and 19 % (numeric only), while only 6 % from all the passwords had passwords which use a selection of alpha numeric and other characters.”
It’s not really valid to say that “a big majority of internet users” when the “study” is of users whose accounts have fallen to some hacking attempt. Users who are knowledgeable about password security would be less likely to give information to a phishing attack.
Pingback: Ce fel de parole folosesc utilizatorii Hotmail ?
@Benjamin Manns : You are right, thanks for noticing. It’s my mistake. I wanted to say “a big majority of users” (referring to these Hotmail users) not “a big majority of internet users”. I’ve corrected the post. Thanks again.
firstly i shocked to see the list of password.. but when i checked now i feel relax… my password so complicated but its not in the list..
Pingback: Analysis of 10k hotmail passwords - Remote Exploit Forums
Pingback: 10,000 Hotmail, MSN and Live.com passwords exposed online « UbuntuGIDE.wordpress.com
Pingback: Twitted by jm1601com
Hi all!
I’m your colleague from Russia. I’ve analyzed the same data but my results slightly differs from yours. Here they are: http://devteev.blogspot.com/2009/10/windows-live-hotmail.html
Hi Dmitry. Unfortunately, I don’t understand russian. I’ve tried Google translate but the results are not very good and it cannot translate images
Pingback: Nixu Web Journal » Valitsenpa kuusimerkkisen salasanan kun palvelu kerran sen hyväksyy
Pingback: Acunetix Web Application Security Blog » Statistics from 10000 … | Webmaster Tools
Hi Bogdan,
Congrats for your study. Very clean and very useful.
Could you please provide the list you have used for that study. Is there any place where we can find it?
Thank you very much.
I found the list via Twitter. It was deleted since then. However, I’m sure you can still find it somewhere if you look closely enough.
Pingback: TechBlog
Pingback: Phishing For Passwords easy as 1,2,3. « Digital Dilemmas
Why does people use so simple passwords? The best trick is to use the same cryptical password, but with another letter at the beginning etc.! Easy to remember and never the same.
Pingback: Stolen Hotmail input reveals widespread use of weak passwords | Fortysixty’s Gadget Blog
Pingback: TA-InfoTech » Blog Archive » Hacking, Strong Passwords and Phishing Scams
Pingback: もっともよく使われるパスワードは何か? « じだらく
Pingback: Stolen Hotmail goods reveals widespread use of weak passwords | Gadgets 411
tequiero is iloveyou in spanish
tequiero – 9
iloveyou – 7
Pingback: Maioria das senhas roubadas do Hotmail são simples | New Info
Pingback: CNN Newsroom: Blog Archive - Email Passwords Stolen « - Blogs from CNN.com
Pingback: Weak passwords dominate statistics for Hotmail’s phishing scheme leak « The Daily Blahg
Pingback: Twitted by ThierryRoget
Pingback: Scam Compromises Email Accounts | The New New Internet
Pingback: Análisis estadístico de las 10.000 contraseñas filtradas de Hotmail | Bitelia
Pingback: Email attack spreads, dozy password protection won’t help | BitterWallet
Pingback: K. Brian Kelley - Databases, Infrastructure, and Security
Pingback: Maioria das senhas roubadas do Hotmail são simples « Windows System
Pingback: china wholesale, china eletronics wholesale, china cctv wholesale and dropship in china . « Products & Tech News
Pingback: Hotmail: 10.000 cuentas comprometidas por phishing tradicional » Sergio Hernando
Pingback: Hotmail Scam Reveals Most Common Password: 123456 « SamsungDataCables
Pingback: Fake entries in new e-mail/password lists point to unsophisticated phishing
Pingback: The Insecurity of Password Security « m.laman
Pingback: Web News and Practical websites » Hotmail leak: Most popular password? 12345
Pingback: El Password más popular en Hotmail | arturogoga
I believe the Security is causing the Insecurity:
http://mlaman.wordpress.com/2009/10/07/insecure-secure/
The data is unreliable, as these are assumed to be from a phishing scam. The best statistics you will get would only apply to the population of users that will fall for a phishing scam. Also, this is assuming the passwords are real (I sometimes spitefully enter false information into phishing scams). Personally, I’d like to know how different the statistics would be for people that did not fall for the same scam.
Pingback: Today’s Favorite Stories
Pingback: Contraseñas mas usadas en Hotmail « Gabriel Vegas
Are people with the name Alejandra or Alejandro predispositioned to come up with bad passwords?
Pingback: Mail-Jacking « Rich’s Random Walks
Pingback: ReputationDefender Blog : Five Tips for a Powerful Password
Pingback: Stolen Hotmail data reveals widespread use of weak passwords | GeekoPedia
Pingback: Tips para crear contraseñas un poco más seguras | Materia Geek
Pingback: L’analisi parla chiaro, gli account di posta violati erano tutti protetti da password inadeguate. | TuttoVolume
Pingback: Fake entries in new e-mail/password lists point to unsophisticated phishing | CHARGED's Digital Lifestyle at Work or Play
Pingback: La contraseña más común en Hotmail es… 123456 | Shadow Security
Pingback: Estadísticas de contraseñas filtradas de Hotmail
I cannot remember what I cannot remember. Cyber society built on this sort of password-system is a sand castle. One solution could be expanding the password sysytem to include graphis and photos in addition to characters so that uses will be able to select what they are good at from among them. One such solution named Mnemonic Guard is becoming well known in Japan.
Couldn’t someone to tell Microsoft to send a mail to compromised accounts or instead put a site on the web where to ask if your password has been compromised?
It seem incredible asking all people in hotmail to reset their password for a 10.000 leak.
NOTE: Maybe, if you had the names of the accounts, you could be so kind to put a web form to ask if for my account.
Many Thanks
Your account is not on the list
But it’s a good security practice to change all your important passwords regularly. It depends on you how regularly.
Thank you very much, Mr. Bogdan
Pingback: Los usuarios de Hotmail poco originales con sus contraseñas
Pingback: Leaked Hotmail Data Shows Poor Choice Of Passwords
I’ve noticed a major flaw if you login via MSN Messenger. It ISN’T case sensitive!
ie. if you use a upper and lower case alphas in your password, then it doesn’t matter if you type PaSSwoRD or password or PASSWORD.
A huge oversight.
Pingback: “123456″, la contraseña más utilizada por los internautas | tuexperto.com
Pingback: 123456 รหัสยอดฮิตของชาว Hotmail - Techblog
Pingback: Incydenty » Trendy dot. jakości haseł dostępu na podstawie incydentu z Hotmail
@Pogo: If what you are saying is true that’s very dangerous. I don’t use MSN to test it out.
Pingback: Noticia: La seguridad en las contraseñas de los servicios de Internet « Blog edt.diximedia.es
i was hoping for 8675309 to pop up on the list! lol
Pingback: 123456, un mot de passe populaire sur Hotmail! | Descary.com
” 6 %; mixed alpha + numeric + other characters.” only 6% of good passwords? damm…
I can’t believe it
My hotmail password is also 123456
But here’s a catch, its a /dev/null email account I use to give to sites which refuse to serve me stuff without registering, so it’s a sink for their spam crap.
I wouldn’t be so quick to judge us all idiots, not everyone wants or needs a high level security and different randomized complex passswords for every authenticatable piece of asset we have. Crappy hotmail account is definitely not one.
every rule has an exception.
Pingback: 123456 es la contraseña más utilizada en Hotmail | Marketing en Internet
Pingback: No utilices la contraseña 123456 para proteger tus cuentas de correos o servicios de internet | Experto en Internet
Pingback: Listado con las contraseñas más utilizadas « Helektron.com
Pingback: Senhas roubadas do Hotmail são analisadas
Pingback: Bognár András (bognarandras) 's status on Thursday, 08-Oct-09 15:37:33 UTC - Identi.ca
Pingback: Email phishing attack spreads to Gmail and Yahoo - Raymond.CC Forum
Pingback: ATTENTION, vos mots de passe valent que dalle ! | Autour du Web
Pingback: Leaked Hotmail Data Shows Poor Choice Of Passwords - Partytow
Pingback: Baza de date cu parole Hotmail arata cat de slabe sunt acestea
Pingback: Ciąg dalszy historii o wykradzionych hasłach | markasblog
Pingback: 盗まれたメールからよく使用されるパスワードを調査 | アイビースター
Pingback: 123456 « Datenschutzalltag
Pingback: El password más común es… sí, 123456 : Blogografia
Pingback: Les contrasenyes de Hotmail més usuals són molt poc segures « Tota La Vila
Pingback: Five Tips for a Powerful Password : Michael Fertik - Internet entrepreneur and CEO of ReputationDefender
Pingback: Phished or not, leaked passwords show lazy habits « R Web Security
Pingback: El password más común es… sí, 123456 « Webeando en la red
Pingback: El password más común es… sí, 123456 « RSS2Blogs
What’s worse is that some NY based national banks now only allow 4 digit PINs for ATMs. The teller asked if she could help with anything else- I complained about that and she told me to go online. Nice. Told her it was way less secure than the old 6 digit code.
Pingback: 누설된 핫메일 데이터로 보는 부실한 패스워드
Pingback: 最常见密码123456 « 每日IT新闻,最新IT资讯,聚合多站点消息,保证你与世界同步
Pingback: Informacje » Blog Archive » Użytkownicy Hotmail używają prostych haseł
Pingback: Leaked Hotmail Password Data Analysis
Pingback: Hay más listas con claves de acceso a Gmail, Yahoo y AOL
Pingback: Password deboli: uno studio sulla sicurezza delle password (rubate ad Hotmail) - Commenta la tecnologia, la telefonia, i software
Pingback: » Password deboli: uno studio sulla sicurezza delle password (rubate ad Hotmail)
Interesting post. Very nice and such a valuable information u shared with us. Thanks for it.
Pingback: Анализ 10000 украденных паролей Hotmail / Блог для блогеров. Блог о блогах, блогосфере, социальных сетях и гаджетах
Pingback: El password más común es… sí, 123456 | UR-VE.COM
Pingback: duritong's status on Friday, 09-Oct-09 13:50:08 UTC - Identi.ca
Pingback: jekyll (jekyll) 's status on Friday, 09-Oct-09 15:13:35 UTC - Identi.ca
Pingback: Phished or not, leaked passwords show lazy habits « Interesting finds
Pingback: 如何選擇一個安全的密碼? « 1AM.HK – 科技資訊網
Pingback: ‘123456′ es el password más utilizado, desgraciadamente » Cosas Que Contar – Una mirada joven de la actualidad tecnológica, científica, política y social
Pingback: markbeadles.blogspot.com
Pingback: La contraseña más usada es 123456 | GeekWe
Pingback: El Password número 1 en Live Mail | +Vidatechno
Pingback: Passord – igjen | Underverden
Pingback: 123456 es la password favorita de los ilusos! - MadBoxpc.com
Pingback: Hotmail Scam Reveals Most Common Password: 123456 | Everything's Social
Pingback: تحليل كلمات السر المسربة لبريد الهوتميل | عالم التقنية
Pingback: Das Warum-Blog » Was uns die Phishing-Attacken gegen Hotmail, Google und Yahoo zeigen
Pingback: Twitted by bit_shift
Pingback: Daniel_HBK - تحليل كلمات السر المسربة لبريد الهوتميل
Pingback: Phished or not, leaked passwords show lazy habits : BizzRoot
Pingback: تحليل كلمات السر المسربة لبريد الهوتميل والجي ميل اليومين الماضيين | حسام القاضي
Pingback: 最常见密码123456 | 52.bingcheng
Pingback: LordElph’s Ramblings » Pastebin.com and password lists
Pingback: Mot de passe hotmail - Maison Ou Bureau
Pingback: Auswertungen der 10′000 geleakten Hotmail-Passwörter « Kreativrauschen
Pingback: Dogear-Nation – Episode 124 – Not Being Cool Enough | Dogear Nation
Pingback: Kleine Kennwortstatistik … – Wissensmakler
Pingback: Tausende von E-Mailkonten geknackt – Meine Erfahrungen im Umgang mit Zugangsdaten /// PC Blog Berlin über PC Probleme und andere Ärgernisse
Pingback: Are Bad Passwords Really Less Secure? « InfoSec 2.0
Pingback: blogg.umdac.umu.se - Vanligaste lösenorden på Hotmail « Incident Response Team (IRT) - Umeåniversitet
Pingback: Passwörter: Simple Zahlenkombinationen beliebt :: eBusiness News
Pingback: Δημοφιλή τα απλά (και ανασφαλή) passwords | Search Top Greek Blog
Pingback: e-logick Actu – emploi ingénieurs, ecoles ingénieur, CV et pofils consultants experts developpeurs – statistiques emploi » Blog Archive » Fishing de Windows Live Mail : retour sur les faits
Where can I view that list? Any one who can help?
Pingback: El password más común es… sí, 123456 | Zobit
Pingback: Parolele pe care le utilizăm @ COMP-AR COMIMPEX Blog
Pingback: Čemu služe lozinke? | Svakodnevnica blog
Pingback: HOW TO: Protect Your Hotmail, Gmail, Yahoo Mail, Facebook from Hackers! | Thoughtpick Blog
Pingback: Check if your email account has been exposed! « StormSecurity
Here you can find a similar analysis based on the bigger list (24k accounts): http://stormsecurity.wordpress.com/2009/10/12/check-if-your-email-account-has-been-exposed/
Pingback: La seguretat de les contrasenyes, tema pendent « Bloc de la Biblioteca de Matemàtiques
Pingback: Το “123456″ ήταν το πιο κοινό Hotmail password | Search Top Greek Blog
Pingback: Some passwords not to use for your email accounts (or any other) « QEEK Spot (Quantum Electronics Extreme Knowledge)
Pingback: XTRO » La contraseña más común en Hotmail es… 123456
Pingback: Ποιοι είναι οι πιο συνηθισμένοι κωδικοί για email;; | .:FoiTitaKoS.gR - Φοιτητικό Blog Ποικίλης Ύλης:.
Pingback: 里面有你的密码吗? « 懂一点
Pingback: Stay Safe by Learning from the Bad Passwords of Others | Business Hacks | BNET
Pingback: La contraseñas más populares del mundo « infopista, el blog de José Femenías Cañuelo
I also heard that 12345 is the most common password in whole world.. So if anyone is using this password is suggested to change their password…
Pingback: Password mais comum é 12345 « Dicas do Julio Jacovenko
Pingback: 123456 is meest gebruikte paswoord | Internetvaardig
Pingback: Work Life Tips » Strength Training Is Good For Women – Weight Loss … | Women's Health Wisdom
Pingback: La contraseña más común en Hotmail es… 123456 | JorgeiSaac
Pingback: Hotmail e Google Mail, perché le password sotto tiro - The New Blog Times
Pingback: Gephishte Hotmail-Konten: “123456″ war das beliebteste Passwort | Basic Thinking Blog
Pingback: My Hotmail account hacked - all my contacts spammed !! How to avoid it happening to you. at scatterdrum
Pingback: Passwords – How Safe is Your Online Information? | PC User Clinic
Pingback: » I Know Your Password My Privacy Tools Blog
Pingback: Sören Martius » vernüftige Passwörter
This was the start for our corporate blog. You can view the materials at: http://ptresearch.blogspot.com/2009/11/password-analysis-for-windows-live.html
Pingback: Statistics from 10,000 leaked Hotmail passwords | eXPerience
Pingback: Blog de PRISE » Blog Archive » Salvaguardando nuestras contraseñas
Pingback: Revisa tu contraseña | EL PORTAL DE CHARI
I think there are certain Passwords which are very common and are used by everywhere. So we should use the strong passwords.
Pingback: Lista de mas de 10 mil usuarios de hotmail.com | PanamaCOM
Pingback: Galaxie TIC » Archives du Blog » Comment bien choisir ses mots de passe sur le net : un guide pratique
Pingback: Infos zum Passwort Schutz | stockMagazin
Pingback: Votre compte a été piraté? Comment trouver un excellent mot de passe « Le blogue de Kaven Brassard
Pingback: Maioria das senhas roubadas do Hotmail são simples - WinBrasil
oops.123456…
someone tell us to change password for a period.i use long but not so memorable password that i always forget my password. my friend suggest me to use the software called password genius. i tried, and find it very amazing that it only took a few minutes to find out the password. I highly recommend it to you. here it is:
http://www.password-genius.com/how-to/how-to-find-out-my-windows-live-messenger-password-msn-password.html
Pingback: Prime analisi sull’attacco subito da Hotmail tramite la tecnica del phishing | Internet
Pingback: Diseño Web | janethd.com
Pingback: blog.rbach.net - Password Insecurity
Pingback: Fokus på passord? « frankps på norsk
Pingback: InfoSec Daily » Episode 72 – http://5z8.info/super-nsfw_qzg
My msn and facebook have been hacked for one week ago. And i cant find any way to solve it. Can someone please help me? i’m student and i need my email so much. If there is someone can help me then please email me. Thanks
Pingback: Pix & Sys » T’as vu ton mot de passe
Pingback: Pix & Sys » T’as vu ton mot de passe ?
Pingback: PC Blog » Blog Archive » Западные идиоты тоже любят пароль «123456»
Pingback: T’as vu ton mot de passe ?
Pingback: Business Lounge » Blog Archive » Passwort Sicherheit
Pingback: Prime analisi sull’attacco subito da Hotmail tramite la tecnica del phishing | RisorseGeek
Pingback: Passwörter: Simple Zahlenkombinationen beliebt | newsnetwork.at
Pingback: The Case of the Stolen Laptop: How to Encrypt, and Why - Techland - TIME.com
12345? That’s the stupidest combination I’ve heard of in my life! That’s the kind of thing an idiot would have on his luggage!
Pingback: Passwort-Check im Web: Wie sicher ist Ihr Passwort? ... ScareWare.de
wow nice statistics….I am going to go change all my passwords to better ones right now…. you really have me thinking
My msn and facebook have been hacked for one week ago. And i cant find any way to solve it.
Pingback: Password Security Recommendations and Research | WebsiteDefender.com
Pingback: Passwords and the Knowing-Doing Gap
Pingback: Leaked hotmail password data analysis – internet marketers, single users
Pingback: Password Security | CIO Whisperer
Hey this is really very good post. I liked it
the phishing kit used most probably was badly designed, since it was one that didn’t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.
Pingback: Seguridad Informática: recomendaciones básicas para los usuarios
Pingback: 500 Most Common Passwords | Negative Foo
Many people who use hotmail, but I’m pretty selective to provide a password and security in the email that I use. In my opinion, it is important to do so that my email not collapse by the people who are not responsible.
Can you make a graph and calculate the standard deviation? I’d appreciate it more in graph form.
Pingback: PASSBAN » PassBan Open House
Interesting post, this is the best password 123456
And people wonder why somebody hacked their mailbox