Results 1 to 10 of 10

Thread: Analysis of 10k hotmail passwords

Hybrid View

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    28

    Default Analysis of 10k hotmail passwords

    Ok, not all of them were hotmail passwords, but that's how they are being talked about in the media

    Thousands of Hotmail passwords leaked online

    I did some initial analysis of the list which can be found below:

    Reusable Security: 10k Hotmail Passwords

    I haven't had much time to go over them, but I'll try to post some follow up info, such as the effectiveness of different input dictionaries, a more detailed analysis of word mangling rules used, etc, later. If there is any specific information people are interested in, (with the exception of where to grab the list, sorry I'm not going to repost that), please let me know.

  2. #2
    Senior Member
    Join Date
    Jan 2009
    Posts
    114

    Default

    from your site :

    So on to the analysis:
    •Total Passwords: 9,845 - This number excludes all the e-mail addresses that had blank passwords
    •Average Password Length: 8.7 characters long
    •Percentage that contained an UPPERCASE letter: 7.2%
    •Percentage that contained a special, (aka !@#$), character: 5.2%
    •Percentage that contained a digit: 51.7%
    •Percentage that only contained lowercase letters: 43.3%
    •Percentage that only contained digits: 17.6%
    •Percentage the started with a digit, (aka '1password'): 25.0%
    •Percentage that ended with a digit, (aka 'password1'): 44.1%
    •Percentage that started with a special character: 0.5%
    •Percentage that ended with a special character: 2.2%
    •Percentage that started with an uppercase letter: 6.1%

    but from :

    Acunetix Web Application Security Blog » Statistics from 10,000 leaked Hotmail passwords


    Bellow are the statistics:

    ◦The list initially contained 10,028 entries.
    ◦After I’ve cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
    ◦There are 8931 (90%) unique passwords in the list.
    ◦The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
    ◦The shortest password was 1 char long : )
    Top 20 most common passwords:

    1.123456 - 64
    2.123456789 - 18
    3.alejandra - 11
    4.111111 - 10
    5.alberto - 9
    6.tequiero - 9
    7.alejandro - 9
    8.12345678 - 9
    9.1234567 - 8
    10.estrella - 7
    11.iloveyou - 7
    12.daniel - 7
    13.000000 - 7
    14.roberto - 7
    15.654321 - 6
    16.bonita - 6
    17.sebastian - 6
    18.beatriz - 6
    19.mariposa - 5
    20.america - 5
    acer 5920g , 345abg , nvidia 8600m
    bt5 kde 64bit + acpi + cuda 4.0 / nvidia 270.40 / pyrit

  3. #3
    Senior Member
    Join Date
    Jan 2009
    Posts
    114

    Default

    oohh what a big FAIL, lookin for "lafaroleratropezooooooooooooo" ... Google have saved all the password

    i think it don't love microsoft
    acer 5920g , 345abg , nvidia 8600m
    bt5 kde 64bit + acpi + cuda 4.0 / nvidia 270.40 / pyrit

  4. #4
    Junior Member
    Join Date
    Sep 2009
    Posts
    43

    Default

    Indeed Nemis.
    Not hard to retrieve all the list.


    1.123456 - 64

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    I'm actually kind of surprised about the counts in the top 20. I mean the top 20 only account for 216 out of 9,843.

    The number or frequency of names and purely useless strings makes me think that the majority of breached accounts were not actual user accounts but rather bulk created accounts for spamming/phishing. It would be interesting to see an analysis of the usernames associated with the analyzed passwords.

    Also the analysis seems to ignore any sort of correlation between username and password. I'd like to know how many had username as password (or some portion of). i.e.: Username is fred.penner and password is penner01 OR username fred.penner password fred.penner, etc.

    "over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."
    I take this to mean that if my account hasn't been disabled that it was also not compromised. Though I dont' really care about my hotmail account, I mainly use it for web forms/registrations that I expect to spam me.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Junior Member
    Join Date
    Mar 2006
    Posts
    28

    Default

    Thorion, a quick answer is that 9 users had the exact same password as their e-mail address, aka fred@hotmail.com - password fred

    It will take me a little bit longer to figure out the answer to your other question, (if they use a part of their username in their password), since I need to script up a quick parser since I don't want to have to manually eyeball all 10k passwords

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •