Analysis of 10k hotmail passwords

[lakiw]

Ok, not all of them were hotmail passwords, but that's how they are being talked about in the media

Thousands of Hotmail passwords leaked online

I did some initial analysis of the list which can be found below:

Reusable Security: 10k Hotmail Passwords

I haven't had much time to go over them, but I'll try to post some follow up info, such as the effectiveness of different input dictionaries, a more detailed analysis of word mangling rules used, etc, later. If there is any specific information people are interested in, (with the exception of where to grab the list, sorry I'm not going to repost that), please let me know.

[Nemis]

from your site :

So on to the analysis:
•Total Passwords: 9,845 - This number excludes all the e-mail addresses that had blank passwords
•Average Password Length: 8.7 characters long
•Percentage that contained an UPPERCASE letter: 7.2%
•Percentage that contained a special, (aka !@#$), character: 5.2%
•Percentage that contained a digit: 51.7%
•Percentage that only contained lowercase letters: 43.3%
•Percentage that only contained digits: 17.6%
•Percentage the started with a digit, (aka '1password'): 25.0%
•Percentage that ended with a digit, (aka 'password1'): 44.1%
•Percentage that started with a special character: 0.5%
•Percentage that ended with a special character: 2.2%
•Percentage that started with an uppercase letter: 6.1%

but from :

Acunetix Web Application Security Blog » Statistics from 10,000 leaked Hotmail passwords


Bellow are the statistics:

◦The list initially contained 10,028 entries.
◦After I’ve cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
◦There are 8931 (90%) unique passwords in the list.
◦The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
◦The shortest password was 1 char long : )
Top 20 most common passwords:

1.123456 - 64
2.123456789 - 18
3.alejandra - 11
4.111111 - 10
5.alberto - 9
6.tequiero - 9
7.alejandro - 9
8.12345678 - 9
9.1234567 - 8
10.estrella - 7
11.iloveyou - 7
12.daniel - 7
13.000000 - 7
14.roberto - 7
15.654321 - 6
16.bonita - 6
17.sebastian - 6
18.beatriz - 6
19.mariposa - 5
20.america - 5

[Nemis]

oohh what a big FAIL, lookin for "lafaroleratropezooooooooooooo" ... Google have saved all the password

i think it don't love microsoft

[mortis]

Indeed Nemis.
Not hard to retrieve all the list.


1.123456 - 64

[thorin]

I'm actually kind of surprised about the counts in the top 20. I mean the top 20 only account for 216 out of 9,843.

The number or frequency of names and purely useless strings makes me think that the majority of breached accounts were not actual user accounts but rather bulk created accounts for spamming/phishing. It would be interesting to see an analysis of the usernames associated with the analyzed passwords.

Also the analysis seems to ignore any sort of correlation between username and password. I'd like to know how many had username as password (or some portion of). i.e.: Username is fred.penner and password is penner01 OR username fred.penner password fred.penner, etc.

Quote:

"over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."

I take this to mean that if my account hasn't been disabled that it was also not compromised. Though I dont' really care about my hotmail account, I mainly use it for web forms/registrations that I expect to spam me.

[lakiw]

Thorion, a quick answer is that 9 users had the exact same password as their e-mail address, aka fred@hotmail.com - password fred

It will take me a little bit longer to figure out the answer to your other question, (if they use a part of their username in their password), since I need to script up a quick parser since I don't want to have to manually eyeball all 10k passwords

[thorin]

Cool TY!

I didn't really expect anyone to goto the trouble, just thought it'd add some interesting detail to the analysis.

[thorin]

Quote:

Originally Posted by lakiw

Thorion, a quick answer is that 9 users had the exact same password as their e-mail address, aka fred@hotmail.com - password fred

It will take me a little bit longer to figure out the answer to your other question, (if they use a part of their username in their password), since I need to script up a quick parser since I don't want to have to manually eyeball all 10k passwords

Any luck hammering out some further analysis?

[wif1bust3r]

Just added some character set filtering to wepbuster.


For someone who might be interested, here are the stats I have gathered:
The password list I got from some website (which I forgot to bookmark), contains 21868 entries (mix of different email accounts but mostly from hotmail).

There are:

- 18572 unique entries

- 7280 all lowercase (977(exact match) are found in /usr/share/dict/words)
- 6645 combination of lower and number
- 2979 all numbers
- 308 lower, number, symbol
- 293 lower and symbol
- 292 lower, upper, and number.
- 225 lower, upper
- 219 all uppercase (16 are found in /usr/share/dict/worrds)
- 182 upper and number
- 50 lower, upper, number, and symbol
- 38 number, symbol
- 24 lower, upper, symbol
- 21 upper, number, symbol
- 9 upper and symbol
- 7 all symbols


As you can see, all lower case, lowercase+number, and all numbers are quite popular choices for passwords.

In the meantime, I'll try to dig deeper to see if there's any common properties on those passwords created. Maybe number positioning, character patterns, etc.

ciao!