An anonymous user posted usernames and passwords for over 10,000 Windows Live Hotmail accounts to web site PasteBin.

PasteBin is currently down for maintenance but I managed to get a copy of the list and quickly generated some statistics from these passwords.

First, my impression is that these passwords have been gathered using phishing kits.

Even more, I think it was a badly designed phishing kit, one that didn’t further authenticated the users to the Hotmail/Live website.

I think it just returned an error message after grabbing the credentials.

I’m saying that because some of the passwords are repeated once or twice (sometimes with different capitalization).

The users didn’t understand what happened and entered the same password again and again trying to login.

Bellow are the statistics:

The list initially contained 10028 entries.

After I’ve cleaned up the list, removing entries without a password, I’ve remained with 9843 entries (passwords).

There are 8931 (90%) unique passwords in the list.

An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.

My impression is that these passwords have been gathered using phishing kits. Even more, the phishing kit used most probably was badly designed, since it was one that didn’t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong.

Below are the statistics:

The list initially contained 10,028 entries.

After I’ve cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).

There are 8931 (90%) unique passwords in the list.

The longest password was 30 chars long: lafaroleratropezoooooooooooooo .

. The shortest password was 1 char long : )

Top 20 most common passwords:

123456 – 64 123456789 – 18 alejandra – 11 111111 – 10 alberto – 9 tequiero – 9 alejandro – 9 12345678 – 9 1234567 – 8 estrella – 7 iloveyou – 7 daniel – 7 000000 – 7 roberto – 7 654321 – 6 bonita – 6 sebastian – 6 beatriz – 6 mariposa – 5 america – 5

Based on these passwords I think the phishing kit was targeted towards the Latino community.

Password length distribution:

1 chars – 2 – 0 %

2 chars – 4 – 0 %

3 chars – 4 – 0 %

4 chars – 31 – 0 %

5 chars – 49 – 1 %

6 chars – 1946 – 22 %

7 chars – 1254 – 14 %

8 chars – 1838 – 21 %

9 chars – 1091 – 12 %

10 chars – 772 – 9 %

11 chars – 527 – 6 %

12 chars – 431 – 5 %

13 chars – 290 – 3 %

14 chars – 219 – 2 %

15 chars – 157 – 2 %

16 chars – 190 – 2 %

17 chars – 56 – 1 %

18 chars – 17 – 0 %

19 chars – 7 – 0 %

20 chars – 14 – 0 %

21 chars – 10 – 0 %

22 chars – 8 – 0 %

23 chars – 3 – 0 %

24 chars – 3 – 0 %

25 chars – 3 – 0 %

26 chars – 0 – 0 %

27 chars – 3 – 0 %

28 chars – 0 – 0 %

29 chars – 1 – 0 %

30 chars – 1 – 0 %

As you can see from the list above, most of the passwords are between 6 and 9 characters long. Average password length is 8 characters.

What kind of passwords were in the list? :

3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.

Example : iloveyou

lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’. Example : iloveyou 291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.

Example: ILoveYou

mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’. Example: ILoveYou 1707 = 19 %; numeric passwords: passwords containing only numbers (‘0’ to ‘9’)

Example: 123456

numeric passwords: passwords containing only numbers (‘0’ to ‘9’) Example: 123456 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-‘z’, ‘A’-‘Z’ and ‘0’-‘9’.

Example: Iloveyou12

mixed alpha and numeric passwords: passwords containing characters from ‘a’-‘z’, ‘A’-‘Z’ and ‘0’-‘9’. Example: Iloveyou12 565 = 6 %; mixed alpha + numeric + other characters.

Example: 1Love You$%@

As we can see and conclude from the list above, a big majority of users still use very poor passwords: 42 % (lower alpha only) and 19 % (numeric only), while only 6 % from all the passwords had passwords which use a selection of alpha numeric and other characters.

Get the latest content on web security

in your inbox each week.

SHARE THIS POST