Weak passwords dominate statistics for Hotmail's phishing scheme leak

Weak passwords dominate statistics for Hotmail's phishing scheme leak

Summary: The recently leaked accounting data of thousands of Hotmail users -- Gmail has also been affected -- obtained through what appears to be a badly executed phishing campaign, once again puts the spotlight on the how bad password management practices remain an inseparable part of the user-friendly ecosystem.

TOPICS: Security

The recently leaked accounting data of thousands of Hotmail users -- Gmail has also been affected -- obtained through what appears to be a badly executed phishing campaign, once again puts the spotlight on the how bad password management practices remain an inseparable part of the user-friendly ecosystem.

According to a statistical analysis of the 10,000 passwords published by Bogdan Calin at Acunetix, 42% of the phished users use lower alpha passwords only (a to z), 19% rely on numbers only, with 22% of the total sampled population using a 6 character password (Live.com's minimum), followed by 21% of users using 8 character passwords.

Here are the top 10 most commonly used passwords:

- 123456 - 64 - 123456789 - 18 - alejandra - 11 - 111111 - 10 - alberto - 9 - tequiero - 9 - alejandro - 9 - 12345678 - 9 - 1234567 - 8 - estrella - 7

And whereas brute-forcing email accounts on a mass scale has been replaced by the much more efficient and automated approach of registering new accounts, the weak password management practices used by the affected users combined with the fact that users continue using the same password across different services, can create a favorable chain reaction for a cybercriminal knowing this simple fact.

Does the size and complexity of a password matter in the case of online brute-forcing? It depends, in the sense that if the end user believes he's visiting the legitimate site, not even a 15 character password will prevent a phisher from obtaining it, even worse if the end user is malware-infected, the cybercriminal wouldn't even bother launching a phishing campaign at the first place. What he shouldn't be able to do that easily through phishing, is obtain access to all the services in use by the phished user relying on a single password.

Despite the fact that Hotmail allows users the option to set a password to expire every 72 days, isn't it time that Microsoft empowers its users with a Gmail-like "recent account activity" feature?

What do you think? Talkback.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Weak Passwords suck

    Until about 4 years ago my organization had no restrictions on passwords. Our students got their birthdays or their phone numbers as passwords and our staff could choose whatever they wanted. Most common staff password was 1234. Well after years of security breaches and administration wondering why (despite being told why)finally got it so we can use some security and now our students get a randomly generated password by the Student Information system and Teachers and Tech staff can look those up and Staff have to meet requirements like having at least 1 capital and number in a password that is 7 characters long and it cannot be consecutive numbers or be part of your name or username and some other easy to guess things. Its not perfect but a hell of a lot better than it was. The funny thing is when they go to use that same password on an online service or something that will have an indication on how strong your password is I get questions on why they are being told their password is weak or medium rated. I am sure most just choose their Dogs name and put a number after it or something.

      I think too much of the focus is on reactive security.

      If you compare phishing to burglary, the current paradigm is that householders should add more locks in a neverending siege akin to "Assault on Precinct 13".
      These hackers can operate with impunity and almost no risk of being caught. I am starting to think that we may need a Net police and some compromise on our personal anonominity purely to drive home the message that they will catch the hacker. Fear of detection has greater effect that draconian penalties.
      Why not combine the two !! I'm all for the 4am raid and cutting their balls off !!! :)
  • I know it's not feasible ...

    for google, msn,etc. to use but limiting missed logins is what we use for our company's e-mail. Occasionally there are lockouts when no one from the company has tried to logon. It makes me wonder about brute force attacks.
  • Google and Hotmail are spyware

    Google is the worst, but considering that everything you do is stored by these providers, at Google for 18 months, I consider them to be the most dangerous spyware around.

    Part of the problem is that different software and services only allow different variations on passwords. So, even if one has a strong password for one service, you end up having to create another one for a different service. This ends up creating too many passwords for all but the most retentive user to remember. So, they end up with simple passwords they can remember.

    There should be an international convention which ensures that all passwords are allowed to use a large combinations of letters, numbers, symbols, capitals and lower case. Then, even though it might be preferable to have different passwords for different services, you could at least have one strong password to use on various services.

    The choice is between the optimal and the practical. Of course, once you give a password to Google, you know it will one day be known to evil doers.
    • Do you even know what phishing is? This isn't Gmail's or Hotmail's fault.

      • Article confuses the issue

        I tend to agree, A phishing scam wouldn't rely on cracking Hotmail or Gmail's code, This is sort of indicative of the mess that current writers in the tech field tend to get into, This guy doesn't seem to make a clear distinction between problems with phishing scams and weak passwords. You don't need a phishing scam to break a weak password!
        • They Tend to Do that

          Both Naraine and Danchev write knowledgeably about security issues, but neither pays enough attention to the principles of composition: they should both memorize Strunk and White and keep a copy of Fowler on their desks.

          So it does not surprise me that one of them would confuse two separate issues in their writing -- though I am sure they understand the distinctions themselves.

          That said, the author DID make it clearer than Bstring gives him credit. The fact that strong passwords don't help if the user has taking a phishing email as genuine was explicitly mentioned.

          Indeed: Bstring seems to have missed what the topic of this article is: it is NOT 'phishing', it is the 'factoid' revealed BY the "poorly executed phishing attempt: that so many of the passwords are lamentably weak.

          The main point of the article seems to be: the campaign to get people to use only strong passwords has been a failure. Since it has been such a failure, something more is needed, such as the "recent account activity" feature.

          But I have to disagree, though the recent account activity feature is a good one. The reason I disagree is that strong passwords really are necessary, unless you are willing to replace passwords with biometrics and/or tokens. But even then, the latter should be used together with strong passwords, not merely as a replacement for them.

          So what can we do about the failure? We need to put pressure on such websites to enforce strong password rules.

          At one point in time, Kaiser Health Foundation hospitals did this: if you tried to use 'alejandro' as a password, it would not let you. It would insist you chose another, stronger password.

          But even they made a major blunder here: they thought that telling the user WHY the password was rejected was a security leak, so they left the user completely in the dark, having to GUESS the rules.

          That kind of thinking is a great danger to any campaign to get people to take security seriously.
          • That's starting to happen

            Recently, GMX implemented new password rules that tells you what your password should have. In German:

            "Ein m?glichst sicheres Passwort
            besteht aus:

            * Mindestens 8 Zeichen
            * Buchstaben UND Zahlen
            * Umlauten und/oder Sonderzeichen
            * Gro?- UND Kleinschreibung"


            "A password that is as safe as possible consists of:

            * At least 8 characters
            * Letters AND numbers
            * Umlauts* and/or special characters
            * Upper AND lower case letters"

            Umlauts* = ?, ?, ? etc.

            It also tells you when the password was last changed and reminds you to change it on a regular basis (monthly, I think).

            If you fail to meet all of these criteria it complains, and I'm not sure it will even allow weak passwords (not that I have tried, although I did respond to the prompt to include upper and lower case letters, which I had initially failed to do, since most other sites are happy enough with 2 or three of these requirements being fulfilled).
          • Starting?

            None of this is new. I would go so far as to say
            such systems have been in place since before the
    • Only if you let it be

      While this may be true, you can only reccomend that people utilize a strong password, you can only reccomend that people use one account for actual correspondence and another for garbage collection, ( Hotsnail works great for garbage collection) You can tell folks this and that and in the end, they will still do what they want
  • disallow weak passwords . . .

    Weak passwords like these shouldn't even be allowed to be
    set as passwords.
    • Re: disallow weak passwords

      > Weak passwords like these shouldn't even be allowed to be set as passwords.

      While I agree with this statement, the issue is this wasn't the email provider's fault. If these credentials were in fact phished, either by an email or a social engineered rogue application, the strongest password in the world wouldn't make a difference. There was no tech involved at that point, any more than if you had simply handed the credentials over in the street. So disallowing weak passwords, while a start in the right direction, won't solve the problem.
  • People who use weak passwords

    deserve what they get, but also, places that force the user to use only alphanumerics, when there are so many more characters available on the keyboard also suck.
    • Hear! Hear!

      I have a small-business bank account. Not only is the
      allowed password limited to alphanumerics. It is limited
      to lowercase letters and numbers. The first character
      must be a lowercase letter. The password may be
      between 5 and 7 characters long, no less, no more.
      THIS IS A BANK! Go figger.

      Very fortunately, it is a very tiny business, and very
      fortunately, it is soon to be closed and I can easily live
      without it. So there.
  • What makes you think

    That people who use weak password would regard a "recent
    account activity" as anything more than incomprehensible

    Sure, security minded people may occasionally check those
    activity stats. But you also have a strong password,
  • 2-factor authentication?

    Is it time to broaden the use of 2-factor authentication?

    After all, it seems a little pointless if the banks require it to login to their websites but someone can gain access to your email and view the statements etc that your bank emails you by phishing or password guessing.
    • Sounds good

      But please could you clarify what 2-factor authentication is. I imagine it's the use of a secondary password, i.e. a code in addition to the username & password combination, but other readers may have even less of a clue than I do.
    • Do you Know what 2 Factor Means?

      It means that password alone is NOT enough to access the account. If, for example, the second factor is a code from a PNG token, then phishing is useless. The phisher can capture only the password, but not the token. Without that, the password is useless.

      Obviously two factor authentication has to be implemented not just on accessing the account, but on reading the account statements, so that there is no "bank emails" to leak the data.

      Some banks might not have figured this out, but E*trade has: the security token they offer is a great example of how to do 2 factor authentication.
      • Um..

        ..what, exactly, would stop the phishing site from
        passing the PNG on through to the user?
  • RE: Weak passwords dominate statistics for Hotmail's phishing scheme leak

    What a surprise. People like that should use some kind of password management tool. For example Sticky Password is one of the greatest tools on the market.