Weak passwords dominate statistics for Hotmail's phishing scheme leak
Summary: The recently leaked accounting data of thousands of Hotmail users -- Gmail has also been affected -- obtained through what appears to be a badly executed phishing campaign, once again puts the spotlight on the how bad password management practices remain an inseparable part of the user-friendly ecosystem.
The recently leaked accounting data of thousands of Hotmail users -- Gmail has also been affected -- obtained through what appears to be a badly executed phishing campaign, once again puts the spotlight on the how bad password management practices remain an inseparable part of the user-friendly ecosystem.
According to a statistical analysis of the 10,000 passwords published by Bogdan Calin at Acunetix, 42% of the phished users use lower alpha passwords only (a to z), 19% rely on numbers only, with 22% of the total sampled population using a 6 character password (Live.com's minimum), followed by 21% of users using 8 character passwords.
Here are the top 10 most commonly used passwords:
- 123456 - 64 - 123456789 - 18 - alejandra - 11 - 111111 - 10 - alberto - 9 - tequiero - 9 - alejandro - 9 - 12345678 - 9 - 1234567 - 8 - estrella - 7
And whereas brute-forcing email accounts on a mass scale has been replaced by the much more efficient and automated approach of registering new accounts, the weak password management practices used by the affected users combined with the fact that users continue using the same password across different services, can create a favorable chain reaction for a cybercriminal knowing this simple fact.
- Go through related posts: Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers; Spammers attacking Microsoft's CAPTCHA -- again; Microsoft's CAPTCHA successfully broken; Lack of phishing attacks data sharing puts $300M at stake annually; Online broker CommSec criticised for weak passwords, lack of SSL; Study: password resetting 'security questions' easily guessed; Comcast responds to passwords leak on Scribd
Does the size and complexity of a password matter in the case of online brute-forcing? It depends, in the sense that if the end user believes he's visiting the legitimate site, not even a 15 character password will prevent a phisher from obtaining it, even worse if the end user is malware-infected, the cybercriminal wouldn't even bother launching a phishing campaign at the first place. What he shouldn't be able to do that easily through phishing, is obtain access to all the services in use by the phished user relying on a single password.
Despite the fact that Hotmail allows users the option to set a password to expire every 72 days, isn't it time that Microsoft empowers its users with a Gmail-like "recent account activity" feature?
What do you think? Talkback.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Weak Passwords suck
COMPARE PHISHING TO BURGLARY
If you compare phishing to burglary, the current paradigm is that householders should add more locks in a neverending siege akin to "Assault on Precinct 13".
These hackers can operate with impunity and almost no risk of being caught. I am starting to think that we may need a Net police and some compromise on our personal anonominity purely to drive home the message that they will catch the hacker. Fear of detection has greater effect that draconian penalties.
Why not combine the two !! I'm all for the 4am raid and cutting their balls off !!! :)
I know it's not feasible ...
Google and Hotmail are spyware
Part of the problem is that different software and services only allow different variations on passwords. So, even if one has a strong password for one service, you end up having to create another one for a different service. This ends up creating too many passwords for all but the most retentive user to remember. So, they end up with simple passwords they can remember.
There should be an international convention which ensures that all passwords are allowed to use a large combinations of letters, numbers, symbols, capitals and lower case. Then, even though it might be preferable to have different passwords for different services, you could at least have one strong password to use on various services.
The choice is between the optimal and the practical. Of course, once you give a password to Google, you know it will one day be known to evil doers.
Do you even know what phishing is? This isn't Gmail's or Hotmail's fault.
[/b]
Article confuses the issue
They Tend to Do that
So it does not surprise me that one of them would confuse two separate issues in their writing -- though I am sure they understand the distinctions themselves.
That said, the author DID make it clearer than Bstring gives him credit. The fact that strong passwords don't help if the user has taking a phishing email as genuine was explicitly mentioned.
Indeed: Bstring seems to have missed what the topic of this article is: it is NOT 'phishing', it is the 'factoid' revealed BY the "poorly executed phishing attempt: that so many of the passwords are lamentably weak.
The main point of the article seems to be: the campaign to get people to use only strong passwords has been a failure. Since it has been such a failure, something more is needed, such as the "recent account activity" feature.
But I have to disagree, though the recent account activity feature is a good one. The reason I disagree is that strong passwords really are necessary, unless you are willing to replace passwords with biometrics and/or tokens. But even then, the latter should be used together with strong passwords, not merely as a replacement for them.
So what can we do about the failure? We need to put pressure on such websites to enforce strong password rules.
At one point in time, Kaiser Health Foundation hospitals did this: if you tried to use 'alejandro' as a password, it would not let you. It would insist you chose another, stronger password.
But even they made a major blunder here: they thought that telling the user WHY the password was rejected was a security leak, so they left the user completely in the dark, having to GUESS the rules.
That kind of thinking is a great danger to any campaign to get people to take security seriously.
That's starting to happen
"Ein m?glichst sicheres Passwort
besteht aus:
* Mindestens 8 Zeichen
* Buchstaben UND Zahlen
* Umlauten und/oder Sonderzeichen
* Gro?- UND Kleinschreibung"
Translation:
"A password that is as safe as possible consists of:
* At least 8 characters
* Letters AND numbers
* Umlauts* and/or special characters
* Upper AND lower case letters"
Umlauts* = ?, ?, ? etc.
It also tells you when the password was last changed and reminds you to change it on a regular basis (monthly, I think).
If you fail to meet all of these criteria it complains, and I'm not sure it will even allow weak passwords (not that I have tried, although I did respond to the prompt to include upper and lower case letters, which I had initially failed to do, since most other sites are happy enough with 2 or three of these requirements being fulfilled).
Starting?
such systems have been in place since before the
Internet.
Only if you let it be
disallow weak passwords . . .
set as passwords.
Re: disallow weak passwords
While I agree with this statement, the issue is this wasn't the email provider's fault. If these credentials were in fact phished, either by an email or a social engineered rogue application, the strongest password in the world wouldn't make a difference. There was no tech involved at that point, any more than if you had simply handed the credentials over in the street. So disallowing weak passwords, while a start in the right direction, won't solve the problem.
People who use weak passwords
Hear! Hear!
allowed password limited to alphanumerics. It is limited
to lowercase letters and numbers. The first character
must be a lowercase letter. The password may be
between 5 and 7 characters long, no less, no more.
THIS IS A BANK! Go figger.
Very fortunately, it is a very tiny business, and very
fortunately, it is soon to be closed and I can easily live
without it. So there.
What makes you think
account activity" as anything more than incomprehensible
statistics?
Sure, security minded people may occasionally check those
activity stats. But you also have a strong password,
right?
2-factor authentication?
After all, it seems a little pointless if the banks require it to login to their websites but someone can gain access to your email and view the statements etc that your bank emails you by phishing or password guessing.
Sounds good
Do you Know what 2 Factor Means?
Obviously two factor authentication has to be implemented not just on accessing the account, but on reading the account statements, so that there is no "bank emails" to leak the data.
Some banks might not have figured this out, but E*trade has: the security token they offer is a great example of how to do 2 factor authentication.
Um..
passing the PNG on through to the user?
RE: Weak passwords dominate statistics for Hotmail's phishing scheme leak
http://www.stickypassword.com