Weak passwords dominate statistics for Hotmail's phishing scheme leak

Summary:The recently leaked accounting data of thousands of Hotmail users -- Gmail has also been affected -- obtained through what appears to be a badly executed phishing campaign, once again puts the spotlight on the how bad password management practices remain an inseparable part of the user-friendly ecosystem.

The recently leaked accounting data of thousands of Hotmail users -- Gmail has also been affected -- obtained through what appears to be a badly executed phishing campaign, once again puts the spotlight on the how bad password management practices remain an inseparable part of the user-friendly ecosystem.

According to a statistical analysis of the 10,000 passwords published by Bogdan Calin at Acunetix, 42% of the phished users use lower alpha passwords only (a to z), 19% rely on numbers only, with 22% of the total sampled population using a 6 character password (Live.com's minimum), followed by 21% of users using 8 character passwords.

Here are the top 10 most commonly used passwords:

- 123456 - 64 - 123456789 - 18 - alejandra - 11 - 111111 - 10 - alberto - 9 - tequiero - 9 - alejandro - 9 - 12345678 - 9 - 1234567 - 8 - estrella - 7

And whereas brute-forcing email accounts on a mass scale has been replaced by the much more efficient and automated approach of registering new accounts, the weak password management practices used by the affected users combined with the fact that users continue using the same password across different services, can create a favorable chain reaction for a cybercriminal knowing this simple fact.

Does the size and complexity of a password matter in the case of online brute-forcing? It depends, in the sense that if the end user believes he's visiting the legitimate site, not even a 15 character password will prevent a phisher from obtaining it, even worse if the end user is malware-infected, the cybercriminal wouldn't even bother launching a phishing campaign at the first place. What he shouldn't be able to do that easily through phishing, is obtain access to all the services in use by the phished user relying on a single password.

Despite the fact that Hotmail allows users the option to set a password to expire every 72 days, isn't it time that Microsoft empowers its users with a Gmail-like "recent account activity" feature?

What do you think? Talkback.

Topics: Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.