Statistics from 10,000 leaked Hotmail passwords

January 13th, 2010 | Author: Haider al-Khateeb

by Bogdan Calin

An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.

My impression is that these passwords have been gathered using phishing kits. Even more, the phishing kit used most probably was badly designed, since it was one that didn’t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong.

Bellow are the statistics:

The list initially contained 10,028 entries.

After I’ve cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).

There are 8931 (90%) unique passwords in the list.

The longest password was 30 chars long: lafaroleratropezoooooooooooooo.

The shortest password was 1 char long : )

Top 20 most common passwords:

123456 – 64

123456789 – 18

alejandra – 11

111111 – 10

alberto – 9

tequiero – 9

alejandro – 9

12345678 – 9

1234567 – 8

estrella – 7

iloveyou – 7

daniel – 7

000000 – 7

roberto – 7

654321 – 6

bonita – 6

sebastian – 6

beatriz – 6

mariposa – 5

america – 5

Based on these passwords I think the phishing kit was targeted towards the Latino community.

Password length distribution:

1 chars – 2 – 0 %

2 chars – 4 – 0 %

3 chars – 4 – 0 %

4 chars – 31 – 0 %

5 chars – 49 – 1 %

6 chars – 1946 – 22 %

7 chars – 1254 – 14 %

8 chars – 1838 – 21 %

9 chars – 1091 – 12 %

10 chars – 772 – 9 %

11 chars – 527 – 6 %

12 chars – 431 – 5 %

13 chars – 290 – 3 %

14 chars – 219 – 2 %

15 chars – 157 – 2 %

16 chars – 190 – 2 %

17 chars – 56 – 1 %

18 chars – 17 – 0 %

19 chars – 7 – 0 %

20 chars – 14 – 0 %

21 chars – 10 – 0 %

22 chars – 8 – 0 %

23 chars – 3 – 0 %

24 chars – 3 – 0 %

25 chars – 3 – 0 %

26 chars – 0 – 0 %

27 chars – 3 – 0 %

28 chars – 0 – 0 %

29 chars – 1 – 0 %

30 chars – 1 – 0 %

As you can see from the list above, most of the passwords are between 6 and 9 characters long. Average password length is 8 characters.

What kind of passwords were in the list? :

3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
Example : iloveyou

291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
Example: ILoveYou

1707 = 19 %; numeric passwords: passwords containing only numbers (‘0′ to ‘9′)
Example: 123456

2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-’z’, ‘A’-’Z’ and ‘0′-’9′.
Example: Iloveyou12

565 = 6 %; mixed alpha + numeric + other characters.
Example: 1Love You$%@

As we can see and conclude from the list above, a big majority of users still use very poor passwords: 42% (lower alpha only) and 19% (numeric only), while only 6% from all the passwords had passwords which use a selection of alpha numeric and other characters.

Ref.

Bogdan Calin (2009). Statistics from 10,000 leaked Hotmail passwords. [cited 2010 Jan 12];
Available from: http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/

Posted in Reference Library (Interesting News)

September 2010
M	T	W	T	F	S	S
« Feb
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

Statistics from 10,000 leaked Hotmail passwords

Leave a Reply