October 6th, 2009
Weak passwords dominate statistics for Hotmail's phishing scheme leak
The recently leaked accounting data of thousands of Hotmail users — Gmail has also been affected — obtained through what appears to be a badly executed phishing campaign, once again puts the spotlight on the how bad password management practices remain an inseparable part of the user-friendly ecosystem.
According to a statistical analysis of the 10,000 passwords published by Bogdan Calin at Acunetix, 42% of the phished users use lower alpha passwords only (a to z), 19% rely on numbers only, with 22% of the total sampled population using a 6 character password (Live.com’s minimum), followed by 21% of users using 8 character passwords.
Here are the top 10 most commonly used passwords:
- 123456 - 64
- 123456789 - 18
- alejandra - 11
- 111111 - 10
- alberto - 9
- tequiero - 9
- alejandro - 9
- 12345678 - 9
- 1234567 - 8
- estrella - 7
And whereas brute-forcing email accounts on a mass scale has been replaced by the much more efficient and automated approach of registering new accounts, the weak password management practices used by the affected users combined with the fact that users continue using the same password across different services, can create a favorable chain reaction for a cybercriminal knowing this simple fact.
- Go through related posts: Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers; Spammers attacking Microsoft’s CAPTCHA — again; Microsoft’s CAPTCHA successfully broken; Lack of phishing attacks data sharing puts $300M at stake annually; Online broker CommSec criticised for weak passwords, lack of SSL; Study: password resetting ’security questions’ easily guessed; Comcast responds to passwords leak on Scribd
Does the size and complexity of a password matter in the case of online brute-forcing? It depends, in the sense that if the end user believes he’s visiting the legitimate site, not even a 15 character password will prevent a phisher from obtaining it, even worse if the end user is malware-infected, the cybercriminal wouldn’t even bother launching a phishing campaign at the first place. What he shouldn’t be able to do that easily through phishing, is obtain access to all the services in use by the phished user relying on a single password.
Despite the fact that Hotmail allows users the option to set a password to expire every 72 days, isn’t it time that Microsoft empowers its users with a Gmail-like “recent account activity” feature?
What do you think? Talkback.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
