Results 1 to 10 of 10

Thread: Analysis of 10k hotmail passwords

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    28

    Default Analysis of 10k hotmail passwords

    Ok, not all of them were hotmail passwords, but that's how they are being talked about in the media

    Thousands of Hotmail passwords leaked online

    I did some initial analysis of the list which can be found below:

    Reusable Security: 10k Hotmail Passwords

    I haven't had much time to go over them, but I'll try to post some follow up info, such as the effectiveness of different input dictionaries, a more detailed analysis of word mangling rules used, etc, later. If there is any specific information people are interested in, (with the exception of where to grab the list, sorry I'm not going to repost that), please let me know.

  2. #2
    Senior Member
    Join Date
    Jan 2009
    Posts
    114

    Default

    from your site :

    So on to the analysis:
    •Total Passwords: 9,845 - This number excludes all the e-mail addresses that had blank passwords
    •Average Password Length: 8.7 characters long
    •Percentage that contained an UPPERCASE letter: 7.2%
    •Percentage that contained a special, (aka !@#$), character: 5.2%
    •Percentage that contained a digit: 51.7%
    •Percentage that only contained lowercase letters: 43.3%
    •Percentage that only contained digits: 17.6%
    •Percentage the started with a digit, (aka '1password'): 25.0%
    •Percentage that ended with a digit, (aka 'password1'): 44.1%
    •Percentage that started with a special character: 0.5%
    •Percentage that ended with a special character: 2.2%
    •Percentage that started with an uppercase letter: 6.1%

    but from :

    Acunetix Web Application Security Blog » Statistics from 10,000 leaked Hotmail passwords


    Bellow are the statistics:

    ◦The list initially contained 10,028 entries.
    ◦After I’ve cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
    ◦There are 8931 (90%) unique passwords in the list.
    ◦The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
    ◦The shortest password was 1 char long : )
    Top 20 most common passwords:

    1.123456 - 64
    2.123456789 - 18
    3.alejandra - 11
    4.111111 - 10
    5.alberto - 9
    6.tequiero - 9
    7.alejandro - 9
    8.12345678 - 9
    9.1234567 - 8
    10.estrella - 7
    11.iloveyou - 7
    12.daniel - 7
    13.000000 - 7
    14.roberto - 7
    15.654321 - 6
    16.bonita - 6
    17.sebastian - 6
    18.beatriz - 6
    19.mariposa - 5
    20.america - 5
    acer 5920g , 345abg , nvidia 8600m
    bt5 kde 64bit + acpi + cuda 4.0 / nvidia 270.40 / pyrit

  3. #3
    Senior Member
    Join Date
    Jan 2009
    Posts
    114

    Default

    oohh what a big FAIL, lookin for "lafaroleratropezooooooooooooo" ... Google have saved all the password

    i think it don't love microsoft
    acer 5920g , 345abg , nvidia 8600m
    bt5 kde 64bit + acpi + cuda 4.0 / nvidia 270.40 / pyrit

  4. #4
    Junior Member
    Join Date
    Sep 2009
    Posts
    43

    Default

    Indeed Nemis.
    Not hard to retrieve all the list.


    1.123456 - 64

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    I'm actually kind of surprised about the counts in the top 20. I mean the top 20 only account for 216 out of 9,843.

    The number or frequency of names and purely useless strings makes me think that the majority of breached accounts were not actual user accounts but rather bulk created accounts for spamming/phishing. It would be interesting to see an analysis of the usernames associated with the analyzed passwords.

    Also the analysis seems to ignore any sort of correlation between username and password. I'd like to know how many had username as password (or some portion of). i.e.: Username is fred.penner and password is penner01 OR username fred.penner password fred.penner, etc.

    "over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."
    I take this to mean that if my account hasn't been disabled that it was also not compromised. Though I dont' really care about my hotmail account, I mainly use it for web forms/registrations that I expect to spam me.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Junior Member
    Join Date
    Mar 2006
    Posts
    28

    Default

    Thorion, a quick answer is that 9 users had the exact same password as their e-mail address, aka fred@hotmail.com - password fred

    It will take me a little bit longer to figure out the answer to your other question, (if they use a part of their username in their password), since I need to script up a quick parser since I don't want to have to manually eyeball all 10k passwords

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Cool TY!

    I didn't really expect anyone to goto the trouble, just thought it'd add some interesting detail to the analysis.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by lakiw View Post
    Thorion, a quick answer is that 9 users had the exact same password as their e-mail address, aka fred@hotmail.com - password fred

    It will take me a little bit longer to figure out the answer to your other question, (if they use a part of their username in their password), since I need to script up a quick parser since I don't want to have to manually eyeball all 10k passwords
    Any luck hammering out some further analysis?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    Member
    Join Date
    May 2009
    Posts
    102

    Default my analysis of 20k leaked email accounts (hotmail etc.)

    Just added some character set filtering to wepbuster.


    For someone who might be interested, here are the stats I have gathered:
    The password list I got from some website (which I forgot to bookmark), contains 21868 entries (mix of different email accounts but mostly from hotmail).

    There are:

    - 18572 unique entries

    - 7280 all lowercase (977(exact match) are found in /usr/share/dict/words)
    - 6645 combination of lower and number
    - 2979 all numbers
    - 308 lower, number, symbol
    - 293 lower and symbol
    - 292 lower, upper, and number.
    - 225 lower, upper
    - 219 all uppercase (16 are found in /usr/share/dict/worrds)
    - 182 upper and number
    - 50 lower, upper, number, and symbol
    - 38 number, symbol
    - 24 lower, upper, symbol
    - 21 upper, number, symbol
    - 9 upper and symbol
    - 7 all symbols


    As you can see, all lower case, lowercase+number, and all numbers are quite popular choices for passwords.

    In the meantime, I'll try to dig deeper to see if there's any common properties on those passwords created. Maybe number positioning, character patterns, etc.

    ciao!

  10. #10
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Analysis of 32 million breached passwords

    2010 and countless people still fail at picking passwords.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •