Stolen Hotmail Accounts Reveal Many Simple Passwords

1234567 seems like an extremely risky password, but it seems that many Hotmail users are willing to roll the dice.

Bogdan Calin is a security researcher, who made that discovery after obtaining about ten thousand Windows Live Hotmail usernames and passwords last week.  The data had been stolen, presumably by a phishing scam, and posted to PasteBin, a public website.

The scammers who posted the data also raided Yahoo Mail, AOL, and Gmail, in a study undertaken by the BBC.  Their report disclosed that over twenty thousand accounts had been taken from the various providers, including the ten thousand Hotmail accounts that Calin investigated.Security experts advise that the most secure passwords use a combination of numbers, letters, and other characters when possible, using upper and lower case letters when possible, and avoid using dates, names, or dictionary words.  Among the most popular passwords uncovered by Calin’s study were many who did not follow this advice.

The two most commonly used passwords used by the phishing victims were 123456 and 123456789, which made up 82 of the 9,843 valid passwords Calin found.  Also among the top ten were 1234567, 12345678, and 1111111.

First names were also among the top ten that Calin analyzed, including alberto, alejandra, and alejandro.  From the frequency of these names, Calin concluded that the phishing kit that stole the passwords was specifically targeting Spanish speakers.

In a blog post he published about his findings, he said that “a big majority of Internet users still use very poor passwords.”  Others who have undertaken similar explorations in the past have backed up Calin’s assertion.  Of all the passwords Calin looked at, only six percent included the recommended mix of letters, numbers, and symbols.  More than sixty percent were either numbers only, or lower case letters.

The top 10 passwords compiled from Calin’s examination were:

1. 123456

2. 123456789

3. alejandra

4. 111111

5. alberto

6. tequiero

7. alejandro

8. 12345678

9. 1234567

10. estrella

The longest password, which appeared only once, was lafaroleratropezoooooooooooooo.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.