12345 most popular stolen Hotmail password
By Stuart Turton
Posted on 7 Oct 2009 at 08:44
The phishing attack that exposed the details of 10,000 Hotmail users has revealed that 12345 was the most popular password of those caught out, according to a security researcher.
That's alarming news given the glut of information and warnings that pepper the internet, especially given the fact that the second most popular password was 123456789.
The information was revealed by security research Bogdan Calin on his blog. Calin reviewed the list of 10,000 Hotmail accounts posted on PasteBin by hackers and discovered that of the 9,843 valid passwords, 82 of them used one of these two numbers.
Also popular, and equally weak, were the passwords 12345678, 1234567 and 111111 - which all featured in the top ten.
The rest of the top ten was filled out with names such as alejandra, alberto, and alejandro, leading Calin to suspect that the phishing kit was targeting Latinos.
Another interesting fact to be pulled from his research was the longest password, which came in at a staggering 30 characters and was "lafaroleratropezoooooooooooooo". The shortest password, on the other hand, was only one character long.
In general, Calin found that the majority of the passwords were between six and nine characters long, with the average password eight characters in length.
Hotmail users weren't the only ones caught out by the phishers, with GMail, Yahoo and AOL also reporting that their users have been targeted.
Whoever had "lafaroleratropezoooooooooooooo" as their password is going to be so pissed off at having to pick a new one, unless they just stick another"o" at the end again.
By Shuflie on 7 Oct 2009
0.8% = Alarming?
Sorry, but I'm amazed the figures weren't worse.
By VoiceOfReason on 7 Oct 2009
Replace 'password' with 'pass phrase'
Why don't all IT companies replace the word 'password' in their code with the words 'pass phrase' and encourage people to think of a phrase instead of a word?
For example, "I drive a BMW 320i" would be pretty secure and easy to remember if your car was indeed a BMW 320i.
"My dog's name is Spot" etc, etc.
By iwilson on 7 Oct 2009
Not just Hotmail
I worked on one site, where the previous IT services company reset everybody's password to 123456 - from the coffee boy up to the board!
Most of the users didn't even know how to change their passwords, so a year later, when we took over the contract, they were still set to 123456! :-O
By big_D on 7 Oct 2009
Perhaps those people knew it as a phishing scam and entered fake details. I know I would.
By peterm2k on 7 Oct 2009
Fonejacker eat your heart out!
No passwords of "password" then? That used to be popular.
You've got the makings of a quiz show right there...
"Nine characters, first letter capital, a symbol and a number, what's my password?"
By cheysuli on 7 Oct 2009
@peterm2k - but if they knew it was a scam why would they reply at all?!
By halsteadk on 7 Oct 2009
I have to agree with iwilson - a pass phrase is far better than the idea of a password.
So instead of using the password 'letmein' we can now say 'let me in' - which was the password of choice for most admins at council offices in the south of England in the late 90s - lets hope they've changed them since.
But Still I am not surprised at the weak password users have to remember for so many different acounts - give them a phrase with numbers in it and then they are on a safer path.
By nicomo on 7 Oct 2009
I did once reply to one of these with fake details and giving my phone number as the fraud reporting hotline :)
By phantombudgie on 8 Oct 2009
- Adobe Dreamweaver CC review: first look
- Huawei Ascend P6 review: first look
- Adobe Illustrator CC review: first look
- Let MPs tell us what they really want ISPs to block
- Adobe Photoshop CC review: first look
- WWDC 2013 and iOS 7 launch: live blog
- Sony VAIO Pro review: first look
- Want child porn blocked? Meet the IWF
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Google two-step verification: a must for business email
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?