Phished or not, leaked passwords show lazy habits

These are the 20 most common passwords, based on 10,000 analyzed by Acunetix.

(Credit: Acunetix)

It's still unclear exactly how 20,000 passwords discovered on the Web recently were stolen, but the finding reveals much in the way of people's password habits: some of us are lazy.

Several lists of passwords from Hotmail, Gmail, Yahoo Mail, and other accounts were discovered and reported on earlier in the week. While, Microsoft, Google, and Yahoo are blaming phishing, a researcher at ScanSafe thinks password-stealing malware on computers could be the culprit, which would mean that more than just the Web e-mail accounts may have been compromised.

More on that later. First, let's look at what an analysis of the leaked passwords reveals.

Security researcher Bogdan Calin did a statistical analysis of the list of more than 10,000 Windows Live Hotmail passwords and wrote about his findings on the Acunetix blog. He discovered that the most common password was "123456," used for 64 of the passwords. In second place was "123456789," used for 18 of them. Also, 42 percent of the passwords used only lower case letters.

While that shows some people aren't exercising caution in securing their e-mail accounts, other statistics reveal that many people are putting more thought into it.

For instance, 30 percent used a combination of uppercase and lowercase letters and numbers. Twenty-two percent of the passwords used six characters, 14 percent used seven, 21 percent used eight, and 12 percent used nine characters. One account even had a password that was 30 characters long.

"My impression is that these passwords have been gathered using phishing kits," Calin writes. "Even more, the phishing kit used most probably was badly designed, since it was one that didn't further authenticate the users to the Hotmail/Live Web site. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."

Mary Landesman, senior security researcher at ScanSafe, theorizes that passwords were obtained by a data-stealing Trojan horse and not phishing.

There are errors in the list of Hotmail passwords that appear to be the result of improper extracting or merging data, she writes on the ScanSafe blog.

Among other reasons, Landesman notes that usernames often appear multiple times with the same password except for a slightly different spelling. Also, she said the "@" separating the username from the account is not always present, which could indicate that the data was pieced together from a form or was extracted from a larger set of data.

Asked to comment on Landesman's speculation, Microsoft and Yahoo representatives said the companies still think the passwords were phished.

A Google spokesman offered this comment: "Passwords can be compromised in multiple ways, so it's a good idea to take several steps to help protect your personal information. Select unique passwords, especially on your most important Web sites, and use antivirus software to help detect software that may try to steal your password."

It's important to remember that phishing can lead to the download of malware onto a victim's computer. So people may never been known what happened.

Regardless, be careful out there.

(Related: See Larry Magid's story for tips on making strong, easy-to-remember passwords.)

Update, 1:20 p.m. PDT on October 9: The list of passwords analyzed apparently was limited to usernames starting with A and B, which is not exactly a representative sample but could explain the use of Spanish words beginning with "A."

[n3td3v]

Do we know if they were legitimate email accounts or ones just setup as spam accounts by spammers using a botnet to register them. The same password appearing more than once could suggest they were all created by the same people using a bot net.

[renGek]

Thats an excellent point. I know if I wanted to create a one time use account thats what I would do.

[sebastien.kalonji]

So again it was the Suisse cheese called Windows that was responsible for this security breach?!

[captain_numerica]

You haven't been keeping up with this story, have you? You should actually read some of these articles before commenting on them.

[tektaktyks]

your brain is a melted "Suisse cheese"

[celticbrewer]

Here, I corrected it for you:

"So again it was the mor0n user, not the OS, that was responsible for this security breach."

It's people who used pirated and/or unpatched software, who use passwords like 123456, and who click on the pop window saying "virus found, please enter your social security number" who are the real threat.

[renGek]

So fools like you think that if you log on to a non windows web site with the id/password of 123456 you would be immune. Nice thinking. You must be a fanboy. Because fanboys
a. have limited technical knowledge but think they have lots.
b. don't read beyond the headlines and then draw their own conclusion.

[screamapillar]

This is much broader than a mere OS issue. I think you are a little narrow minded if you honestly believe that.

[pentest]

It is not an OS issue, but we all know what OS the majority of the idiots who fall for these scams use. Still, the blame can not laid at the feet of the incompetent folks at Microsoft.

[solitare_pax]

Laziness strikes again.

[dverlaque]

If someone is too lazy to set up a good password, then they deserve to be taught a lesson.
I'm saying this in the knowledge that some of the people reading this comment may use/have used these passwords, and some of them might have had their passwords stolen. I'm still not taking this back. It's true.

[screamapillar]

While I agree that sequential numbers are a pretty extreme example of a poor password, I think the issue is more complex than simply 'laziness'.

We live in a world where every site asks for a different username and password. There is no consistency. If the handle you have for everything isn't available, suddenly you get new usernames. Suddenly the site will require a larger (or smaller!!) character limit. So another password. There is only so much you can manage without breaching security in another way (eg writing them down or over simplifying it all).

What we need is some stanards across the web. For example, if it isn't an email address, make the username the email address. That way, if the handle is taken, the user isn't inventing yet another username to remember. Who cares what your handle is if your username is the same? (in terms of security that is).

Just an idea, but I do believe the passwords issue is of major concern. I work for a multinational with multiple custom systems, none of which have the same username password etc. It is insane. Then add to that all the personal ones, it becomes ridiculous.

[lkrupp]

"Never give a sucker an even break, or smarten up a chump." W.C.Fields

[atomD21]

"For instance, 30 percent used a combination of upper-and lower-case numbers and letters"

What's an upper-case number look like?

[Perry_Clease]

"What's an upper-case number look like?"

!@#$%^&*() /joke

For blogs like this I don't care too much about passwords; I am using a throw-away email address and a nom-de-plume. However, I have concerns about some more important sites that want a password but won't let you use more than 8-10 characters and none of them special.

[superaznman]

the entire principle of "passwords" is flawed. good passwords r hard to guess. hard to guess passwords are hard to memorize. people dont like to memorize, so they dont make good passwords. bad passwords can be guessed or bruteforced from a dictionary. end of story. wats the alternative? Fingerprint scanning is good, but it requires special hardware. password assistants (auto sign in things) are dangerous if u use a shared computer. maybe a usb key is a better idea. then again, it could be stolen. i think creating a new method of user id is one of the big technological challenges facing us.

[joyofsomeone]

Actually, it all depends who the person is and where they come up with passwords from.
For instance, my passwords would generally seem like a load of gobbleydoop to someone who hasn't read a certain number of books i've read, and would be nigh-impossible to guess, but if you've read these books, then you'll probably recognise them and find them easy to remember. It all depends :)

[markdoiron]

I agree with Joyofsomeone. My passwords come from my military background, and include jargon peculiar to the military. They include a mix of capitalization, numbers and punctuation. Safe passwords are easily remembered this way. But, I also believe that there should be a password standard that mandates upper and lower case letters, numbers and virtually all punctuation. To not do so is not laziness of the user; <B>it's laziness of the programmers. </B>--mark d.

[renGek]

It doesn't really matter if your password makes english sense, if its a foreign language or if its random stuff. The computer doesn't know the difference between english and spanish. Its as random as nonsense characters.
A hacker wouldn't use tools that is smarter than that.

Its like the TSA padding you down at the airport and make you feel safer from terrorists. It really doesn't but makes you think you are more secure. If you are a hacker using good tools, you can crack a password of 123456 as easily as oqiweurqeru.

[screamapillar]

I agree with superasnman. Passwords and the idea of 'good' passwords are becoming a major dilemma. There is no standard on any website (some are caps sensitive, some aren't, some have alpha-numerica requirements, some don't, some have character limits, some don't, character limits differ, etc). What this means is that we end up with literally dozens of usernames and passwords to remember, far in excess of what we can manage.

The ultimate irony is that people end up writing them down. The more complex, the more demands placed on them by the system, the harder it is to remember. Surely, if you have to write the password down, then you've got a more insecure situation than a simpler or 'bad' password?

I don't have the answers, but I do think that IT 'experts' with their best practice theory have just that - text book styled theory and no concept of the real world and what users face - particularly those in corporate business environments (who'll have dozens of passwords for their work, then dozens more for personal stuff, then all your banking on top, it is endless!)

[superaznman]

hmmm and there seems to be many alejandra/os.... then again, the compromised email adresses began with letters a-b.

[bvdon]

i use low security passwords for anything that i don't care about.... all my logins are the same for news sites, bloggers, etc... i don't care. I'm not lazy -- I'm being judicious.

[shootfirst]

I do the same thing. I also use low security passwords on accounts I want some sort of deniability. If I can prove an account that I use can be easily hacked and say I did it because I don't care about the account then if something is done using that account I can just say it was hacked and with all the botnets out there it seems like a good ide.

[Lerianis3]

Most people use these simple passwords because they cannot remember more complicated ones or many of them. Personally, up until someone tried to break into my e-mail account at Comcast (astoundingly by calling my house and saying they were from Comcast and me stupidly giving them my password because it was late at night), I used a very simple password on my e-mail account there. After that, I switched it to a complex password with letters and numbers, and change it once every year (more often if I think there is a problem).

[Codet]

Assuming these are obtained through a phishing scheme, I highly doubt these passwords will come from "spam / throwaway" accounts. If these accounts did belong to this category, I would assume people wouldn't care to open the phishing email in the first place.

Second, I was under the impression (or hoped maybe) such big services would care to require from their users to use passwords with at least some kind of combination of numbers/alphabets/special chars.

On a side note: Apparently 7 users are in love with their emails!

[kehandley]

Make that 16, since 9 had "tequiero" ("Te quiero" = "I love you" in Spanish).

[screamapillar]

It is possible that many of the password requirments came in after the accounts were made. I have some old accounts with very unique, but not strictly 'good' passwords (ie, no capitals, no numbers or punctuation). If i had to change my password, I'd never be able to keep that one, so i never change it. Why? I remember it, and not writing it down is part of good security.

[geoffreyji]

While this is interesting, we cannot assume this is a random sampling. It is easy to imagine that people who are not security conscious (e.g. choose a weak password) are also more likely to fall for a phishing scheme. They would then be over-represented in the resulting data set. Beware all those numbers-of-people-who-did-X statistics here. One the other hand it is fun to see that some people think that "123456789" is significantly more secure than "123456".

[ngngokkiu]

If you do a statistically analysis on stolen passwords, you are going to get this result. Strong passwords are unique and thus will not be common; weak passwords are going to be common. And yes, people who are not security minded tend to have weak passwords, and are easier to have their passwords stolen. So... is that really anything new?

[winstein]

It is lazy for the developers and network administrators to blame the user. They should come up with more secured ways help the users to conduct everyday business.

It is like blame someone who did not install more locks when his/her home was broken into.

This is a worldwide issue. We need better boarder patrols.

[screamapillar]

I agree. It is easy for the password system to require non sequential numbers and such. However, we have a major issue when the password systems have so many requirements they end up making the password redundant as you have to write it on a sticky note or something - the amount of ppl with passwords under their keyboards... it is like the housekey under the doormat scenario :)

[vidanuevatx]

One problem with passwords is that every site or system has its own rules. That means you can't think up one good password and use it on almost every site. Another problem is remembering what userid and what password goes with what site. Once you've set up an account for Google and for Yahoo! and for AOL and for CNET and for your bank and for your work and for your school and for your personal web site and for your doctor's system and for an insurance company or two and for a half-dozen other sites, it starts to get confusing. That confusion pushes people toward simpler passwords and simpler userids.

Meanwhile, a related pet peeve of mine: Sites that won't tell you their username and password rules if you've forgotten your information. Often merely knowing their rules is enough to jog my memory, but the site won't tell me, so I need to change my password to yet a different forgettable. :-)

[screamapillar]

Agreed 100%.

And what a great idea - tell me the rules! I use basically 3 words for all my passwords but they have varients depnding on the rules of the site (eg if capitalisation is required, numbers etc). I now use the capitalised, numbered version always, but many accounts predate that.

Auto sign in is another factor for forgetting passwords. I have no idea what one of my gmail account passwords is - why? My browser always auto signed me in. I have another gmail account that automatically checks that particular account too. I can't request a new password because the reference email account was for a previous ISP so that email no longer exists, so they'd send the password to a dead end. I can't log in to the account properly to change the password and reference email account because i don't know the password... So now, with the cookies deleted, I have no possible chance of ever knowing the password nor changing it. I can only use it because of this second gmail account that accesses it. Sounds pretty confused? Yup, but not an uncommon reality.

[Jonathan]

Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

[xggrand]

That sounds so Druish!

[markbeadles]

What this really means, unfortunate to say, is that strong password simply don't matter if they can easily be fished. Of the 9843 valid passwords in the analysis, 565 had good passwords that were nonetheless stolen. A lot of good it did these users following the password rules.

-mark beadles

[setjeff15081947]

Yawn! Bottom Line? The Bad Guys are winning. Will it merely be a matter of a year, or two, more before we mostly abandon the Net and leave it a decimated wasteland populated by criminals breaking into each other's sites?
For the other Luddite on here, there's a fascinating article on the origination of that word on another site whose name I'm not permitted to mention. TECHNIA-cal anyone?

[renGek]

Stupid. Maybe you should also abandon your home because you have no fool proof way of securing your house.

[viper396]

@setjeff15081947 , What a completely cowardly and ignorant comment to make. With your logic we should also leave our doors unlocked, banks should leave their safe's open, and we should forget about protecting our children. You basically said let the criminals win while everyone else should just curl up and hide.

[mathmeister]

OMG! Someone else thought of my password! And I thought it was a good one, two.

one....two....one...two... hmm, I think I just thought of another one...

[eiverson]

Using two or more separate web browsers (i.e., different vendors) helps protect your web credentials/interests. There's more to it...

http://www.securitynowblog.com/endpoint_security/dual-web-browsers-can-avoid-information-disclosures

Using separate web browsers doens't cost you anything. Yet, it helps.