12345 most popular stolen Hotmail password
By Stuart Turton
Posted on 7 Oct 2009 at 08:44
The phishing attack that exposed the details of 10,000 Hotmail users has revealed that 12345 was the most popular password of those caught out, according to a security researcher.
That's alarming news given the glut of information and warnings that pepper the internet, especially given the fact that the second most popular password was 123456789.
The information was revealed by security research Bogdan Calin on his blog. Calin reviewed the list of 10,000 Hotmail accounts posted on PasteBin by hackers and discovered that of the 9,843 valid passwords, 82 of them used one of these two numbers.
Also popular, and equally weak, were the passwords 12345678, 1234567 and 111111 - which all featured in the top ten.
The rest of the top ten was filled out with names such as alejandra, alberto, and alejandro, leading Calin to suspect that the phishing kit was targeting Latinos.
Another interesting fact to be pulled from his research was the longest password, which came in at a staggering 30 characters and was "lafaroleratropezoooooooooooooo". The shortest password, on the other hand, was only one character long.
In general, Calin found that the majority of the passwords were between six and nine characters long, with the average password eight characters in length.
Hotmail users weren't the only ones caught out by the phishers, with GMail, Yahoo and AOL also reporting that their users have been targeted.
Whoever had "lafaroleratropezoooooooooooooo" as their password is going to be so pissed off at having to pick a new one, unless they just stick another"o" at the end again.
By Shuflie on 7 Oct 2009
0.8% = Alarming?
Sorry, but I'm amazed the figures weren't worse.
By VoiceOfReason on 7 Oct 2009
Replace 'password' with 'pass phrase'
Why don't all IT companies replace the word 'password' in their code with the words 'pass phrase' and encourage people to think of a phrase instead of a word?
For example, "I drive a BMW 320i" would be pretty secure and easy to remember if your car was indeed a BMW 320i.
"My dog's name is Spot" etc, etc.
By iwilson on 7 Oct 2009
Not just Hotmail
I worked on one site, where the previous IT services company reset everybody's password to 123456 - from the coffee boy up to the board!
Most of the users didn't even know how to change their passwords, so a year later, when we took over the contract, they were still set to 123456! :-O
By big_D on 7 Oct 2009
Perhaps those people knew it as a phishing scam and entered fake details. I know I would.
By peterm2k on 7 Oct 2009
Fonejacker eat your heart out!
No passwords of "password" then? That used to be popular.
You've got the makings of a quiz show right there...
"Nine characters, first letter capital, a symbol and a number, what's my password?"
By cheysuli on 7 Oct 2009
@peterm2k - but if they knew it was a scam why would they reply at all?!
By halsteadk on 7 Oct 2009
I have to agree with iwilson - a pass phrase is far better than the idea of a password.
So instead of using the password 'letmein' we can now say 'let me in' - which was the password of choice for most admins at council offices in the south of England in the late 90s - lets hope they've changed them since.
But Still I am not surprised at the weak password users have to remember for so many different acounts - give them a phrase with numbers in it and then they are on a safer path.
By nicomo on 7 Oct 2009
I did once reply to one of these with fake details and giving my phone number as the fraud reporting hotline :)
By phantombudgie on 8 Oct 2009
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords