An anonymous user posted usernames and passwords for over 10,000 Windows Live Hotmail accounts to web site PasteBin.
PasteBin is currently down for maintenance but I managed to get a copy of the list and quickly generated some statistics from these passwords.
First, my impression is that these passwords have been gathered using phishing kits.
Even more, I think it was a badly designed phishing kit, one that didn’t further authenticated the users to the Hotmail/Live website.
I think it just returned an error message after grabbing the credentials.
I’m saying that because some of the passwords are repeated once or twice (sometimes with different capitalization).
The users didn’t understand what happened and entered the same password again and again trying to login.
Bellow are the statistics:
The list initially contained 10028 entries.
After I’ve cleaned up the list, removing entries without a password, I’ve remained with 9843 entries (passwords).
There are 8931 (90%) unique passwords in the list.

An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.

My impression is that these passwords have been gathered using phishing kits.  Even more, the phishing kit used most probably was badly designed, since it was one that didn’t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.  I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization).  What most probably happened, is that the users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong.

Below are the statistics:

  • The list initially contained 10,028 entries.
  • After I’ve cleaned up the list, like removing entries without a password,  I had 9843 valid entries (passwords).
  • There are 8931 (90%) unique passwords in the list.
  • The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
  • The shortest password was 1 char long : )

Top 20 most common passwords:

  1. 123456 – 64
  2. 123456789 – 18
  3. alejandra – 11
  4. 111111 – 10
  5. alberto – 9
  6. tequiero – 9
  7. alejandro – 9
  8. 12345678 – 9
  9. 1234567 – 8
  10. estrella – 7
  11. iloveyou  – 7
  12. daniel  – 7
  13. 000000  – 7
  14. roberto  – 7
  15. 654321  – 6
  16. bonita  – 6
  17. sebastian  – 6
  18. beatriz  – 6
  19. mariposa  – 5
  20. america  – 5

Based on these passwords I think the phishing kit was targeted towards the Latino community.

Password length distribution:

  • 1 chars – 2 – 0 %
  • 2 chars – 4 – 0 %
  • 3 chars – 4 – 0 %
  • 4 chars – 31 – 0 %
  • 5 chars – 49 – 1 %
  • 6 chars – 1946 – 22 %
  • 7 chars – 1254 – 14 %
  • 8 chars – 1838 – 21 %
  • 9 chars – 1091 – 12 %
  • 10 chars – 772 – 9 %
  • 11 chars – 527 – 6 %
  • 12 chars – 431 – 5 %
  • 13 chars – 290 – 3 %
  • 14 chars – 219 – 2 %
  • 15 chars – 157 – 2 %
  • 16 chars – 190 – 2 %
  • 17 chars – 56 – 1 %
  • 18 chars – 17 – 0 %
  • 19 chars – 7 – 0 %
  • 20 chars – 14 – 0 %
  • 21 chars – 10 – 0 %
  • 22 chars – 8 – 0 %
  • 23 chars – 3 – 0 %
  • 24 chars – 3 – 0 %
  • 25 chars – 3 – 0 %
  • 26 chars – 0 – 0 %
  • 27 chars – 3 – 0 %
  • 28 chars – 0 – 0 %
  • 29 chars – 1 – 0 %
  • 30 chars – 1 – 0 %

As you can see from the list above, most of the passwords are between 6 and 9 characters long.  Average password length is 8 characters.

What kind of passwords were in the list? :

  • 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
    Example : iloveyou
  • 291 = 3 %; mixed case alpha passwords : passwords containing  characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
    Example: ILoveYou
  • 1707 = 19 %; numeric passwords: passwords containing only numbers (‘0’ to ‘9’)
    Example: 123456
  • 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-‘z’, ‘A’-‘Z’ and ‘0’-‘9’.
    Example: Iloveyou12
  • 565 = 6 %; mixed alpha + numeric + other characters.
    Example: 1Love You$%@

As we can see and conclude from the list above, a big majority of users still use very poor passwords: 42 % (lower alpha only) and 19 % (numeric only), while only 6 % from all the passwords had passwords which use a selection of alpha numeric and other characters.

SHARE THIS POST
THE AUTHOR
Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.