Statistics from 10,000 leaked Hotmail passwords

An anonymous user posted usernames and passwords for over 10,000 Windows Live Hotmail accounts to web site PasteBin.
PasteBin is currently down for maintenance but I managed to get a copy of the list and quickly generated some statistics from these passwords.
First, my impression is that these passwords have been gathered using phishing kits.
Even more, I think it was a badly designed phishing kit, one that didn’t further authenticated the users to the Hotmail/Live website.
I think it just returned an error message after grabbing the credentials.
I’m saying that because some of the passwords are repeated once or twice (sometimes with different capitalization).
The users didn’t understand what happened and entered the same password again and again trying to login.
Bellow are the statistics:
The list initially contained 10028 entries.
After I’ve cleaned up the list, removing entries without a password, I’ve remained with 9843 entries (passwords).
There are 8931 (90%) unique passwords in the list.

An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.

My impression is that these passwords have been gathered using phishing kits.  Even more, the phishing kit used most probably was badly designed, since it was one that didn’t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.  I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization).  What most probably happened, is that the users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong.

Below are the statistics:

  • The list initially contained 10,028 entries.
  • After I’ve cleaned up the list, like removing entries without a password,  I had 9843 valid entries (passwords).
  • There are 8931 (90%) unique passwords in the list.
  • The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
  • The shortest password was 1 char long : )

Top 20 most common passwords:

  1. 123456 - 64
  2. 123456789 - 18
  3. alejandra - 11
  4. 111111 - 10
  5. alberto - 9
  6. tequiero - 9
  7. alejandro - 9
  8. 12345678 - 9
  9. 1234567 - 8
  10. estrella - 7
  11. iloveyou  – 7
  12. daniel  – 7
  13. 000000  – 7
  14. roberto  – 7
  15. 654321  – 6
  16. bonita  – 6
  17. sebastian  – 6
  18. beatriz  – 6
  19. mariposa  – 5
  20. america  – 5

Based on these passwords I think the phishing kit was targeted towards the Latino community.

Password length distribution:

  • 1 chars – 2 – 0 %
  • 2 chars – 4 – 0 %
  • 3 chars – 4 – 0 %
  • 4 chars – 31 – 0 %
  • 5 chars – 49 – 1 %
  • 6 chars – 1946 – 22 %
  • 7 chars – 1254 – 14 %
  • 8 chars – 1838 – 21 %
  • 9 chars – 1091 – 12 %
  • 10 chars – 772 – 9 %
  • 11 chars – 527 – 6 %
  • 12 chars – 431 – 5 %
  • 13 chars – 290 – 3 %
  • 14 chars – 219 – 2 %
  • 15 chars – 157 – 2 %
  • 16 chars – 190 – 2 %
  • 17 chars – 56 – 1 %
  • 18 chars – 17 – 0 %
  • 19 chars – 7 – 0 %
  • 20 chars – 14 – 0 %
  • 21 chars – 10 – 0 %
  • 22 chars – 8 – 0 %
  • 23 chars – 3 – 0 %
  • 24 chars – 3 – 0 %
  • 25 chars – 3 – 0 %
  • 26 chars – 0 – 0 %
  • 27 chars – 3 – 0 %
  • 28 chars – 0 – 0 %
  • 29 chars – 1 – 0 %
  • 30 chars – 1 – 0 %

As you can see from the list above, most of the passwords are between 6 and 9 characters long.  Average password length is 8 characters.

What kind of passwords were in the list? :

  • 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
    Example : iloveyou
  • 291 = 3 %; mixed case alpha passwords : passwords containing  characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
    Example: ILoveYou
  • 1707 = 19 %; numeric passwords: passwords containing only numbers (‘0′ to ‘9’)
    Example: 123456
  • 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-‘z’, ‘A’-‘Z’ and ‘0’-‘9′.
    Example: Iloveyou12
  • 565 = 6 %; mixed alpha + numeric + other characters.
    Example: 1Love You$%@

As we can see and conclude from the list above, a big majority of users still use very poor passwords: 42 % (lower alpha only) and 19 % (numeric only), while only 6 % from all the passwords had passwords which use a selection of alpha numeric and other characters.

  • Amazingly, American Express still limits its online account users to maximum 8 (yes–EIGHT!) purely alphanumeric passwords; even dashes and underrscores are verboten. I complained to their online tech support reps a few times directly, but to no avail. They should be scolded publicly for these unbelievably stupid and dangerous limitations.

    –Tony G

  • wells fargo does the same thing but they found a way to take it one step further. Both user names and passwords are NOT case sensitive.

  • “As we can see and conclude from the list above, a big majority of internet users still use very poor passwords: 42 % (lower alpha only) and 19 % (numeric only), while only 6 % from all the passwords had passwords which use a selection of alpha numeric and other characters.”

    It’s not really valid to say that “a big majority of internet users” when the “study” is of users whose accounts have fallen to some hacking attempt. Users who are knowledgeable about password security would be less likely to give information to a phishing attack.

  • @Benjamin Manns : You are right, thanks for noticing. It’s my mistake. I wanted to say “a big majority of users” (referring to these Hotmail users) not “a big majority of internet users”. I’ve corrected the post. Thanks again.

  • Hi Dmitry. Unfortunately, I don’t understand russian. I’ve tried Google translate but the results are not very good and it cannot translate images :)

  • Hi Bogdan,

    Congrats for your study. Very clean and very useful.

    Could you please provide the list you have used for that study. Is there any place where we can find it?

    Thank you very much.

  • I found the list via Twitter. It was deleted since then. However, I’m sure you can still find it somewhere if you look closely enough.

  • Why does people use so simple passwords? The best trick is to use the same cryptical password, but with another letter at the beginning etc.! Easy to remember and never the same.

  • tequiero is iloveyou in spanish
    tequiero – 9
    iloveyou – 7

  • The data is unreliable, as these are assumed to be from a phishing scam. The best statistics you will get would only apply to the population of users that will fall for a phishing scam. Also, this is assuming the passwords are real (I sometimes spitefully enter false information into phishing scams). Personally, I’d like to know how different the statistics would be for people that did not fall for the same scam.

  • Are people with the name Alejandra or Alejandro predispositioned to come up with bad passwords?

  • I cannot remember what I cannot remember. Cyber society built on this sort of password-system is a sand castle. One solution could be expanding the password sysytem to include graphis and photos in addition to characters so that uses will be able to select what they are good at from among them. One such solution named Mnemonic Guard is becoming well known in Japan.

  • Couldn’t someone to tell Microsoft to send a mail to compromised accounts or instead put a site on the web where to ask if your password has been compromised?

    It seem incredible asking all people in hotmail to reset their password for a 10.000 leak.

    NOTE: Maybe, if you had the names of the accounts, you could be so kind to put a web form to ask if for my account.

    Many Thanks ;-)

  • Your account is not on the list :) But it’s a good security practice to change all your important passwords regularly. It depends on you how regularly.

  • Thank you very much, Mr. Bogdan :)

  • I’ve noticed a major flaw if you login via MSN Messenger. It ISN’T case sensitive!

    ie. if you use a upper and lower case alphas in your password, then it doesn’t matter if you type PaSSwoRD or password or PASSWORD.

    A huge oversight.

  • ” 6 %; mixed alpha + numeric + other characters.” only 6% of good passwords? damm…

  • I can’t believe it :) My hotmail password is also 123456

    But here’s a catch, its a /dev/null email account I use to give to sites which refuse to serve me stuff without registering, so it’s a sink for their spam crap.

    I wouldn’t be so quick to judge us all idiots, not everyone wants or needs a high level security and different randomized complex passswords for every authenticatable piece of asset we have. Crappy hotmail account is definitely not one.

  • What’s worse is that some NY based national banks now only allow 4 digit PINs for ATMs. The teller asked if she could help with anything else- I complained about that and she told me to go online. Nice. Told her it was way less secure than the old 6 digit code.

  • Interesting post. Very nice and such a valuable information u shared with us. Thanks for it.

  • I also heard that 12345 is the most common password in whole world.. So if anyone is using this password is suggested to change their password…

  • I think there are certain Passwords which are very common and are used by everywhere. So we should use the strong passwords.

  • My msn and facebook have been hacked for one week ago. And i cant find any way to solve it. Can someone please help me? i’m student and i need my email so much. If there is someone can help me then please email me. Thanks

  • 12345? That’s the stupidest combination I’ve heard of in my life! That’s the kind of thing an idiot would have on his luggage!

  • wow nice statistics….I am going to go change all my passwords to better ones right now…. you really have me thinking

  • My msn and facebook have been hacked for one week ago. And i cant find any way to solve it.

  • the phishing kit used most probably was badly designed, since it was one that didn’t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.

  • Many people who use hotmail, but I’m pretty selective to provide a password and security in the email that I use. In my opinion, it is important to do so that my email not collapse by the people who are not responsible.

  • Can you make a graph and calculate the standard deviation? I’d appreciate it more in graph form.

  • Interesting post, this is the best password 123456 :-) And people wonder why somebody hacked their mailbox

  • Leave a Reply

    Your email address will not be published.


    *