back to article Hotmail phish exposes most common passwords

Data from the Hotmail phishing attack proves that consumer password security remains pants. The most common single password in the sample of 10,000 purloined Live ID login credentials posted as a text file to developer site PasteBin.com was "123456", something only marginally more secure than the traditional favourite "password …

COMMENTS

This topic is closed for new posts.

Page:

FAIL

It's no wonder...

....a high percentage of the passwords on the list were poor or weak.

They were poor and weak.

0
0

Not representative

These are the passwords of people who have been successfully phished, i.e. people who aren't exactly shit-hot when it comes to security matters, so it's not surprising they are piss-poor security-wise.

0
0
FAIL

Dumb and Dumber

It doesn't take an idiot to work out that the sort of people most likely to fall for phishing scams are the same people who don't take password security seriously.

0
0

Skewed

Of course the analysis results will be skewed because these are the people who fell for a phishing scam (I would suggest that such people probably tend to have weaker passwords).

0
0
Grenade

Security Firms

So, are these security firms offering their services for free, seeing as though it's based on information that they themselves downloaded for free?

0
0
Happy

really?

Neil O'Neill? I wonder what his middle name is

0
0
Go

Keepass

One password for the program, no issue with other passwords being lost. Backup the database, and no reason for insecure / reused passwords anywhere.

http://www.keepass.info

0
0
FAIL

Password in wallet

If you need write your password down because you can't remember it then how are you going to be able to change it when it has been stolen along with your money?

0
0
Alert

Like shooting phish in a barrel

So not only did these people have pants passwords they also entered said password into a form not linked in any way to Hotmail?

Some kind of worldwide general public 'IT and Security' training is needed methinks. Yeah I know, that is impossible.

0
0

Wallet

So your password list gets nicked along with the wallet. Exactly how do you change your password then if your list of passwords has been nicked? Especially if you have to change it before the thief looks at the contents of the wallet and logs on to your bank - I can imagine your bank's response when they find out you kept your password with your bank card!

0
0
Silver badge
Boffin

Be careful in drawing any correlations from this data

If, indeed, it was gained through a phishing attack, there is also a possible correlation between people who use weak passwords and those who fall for phishing attacks to be controlled for. In other words, there are probably a higher percentage of weak passwords in this list than there would be in the general population of hotmail users.

0
0
Anonymous Coward

So What?

My Hotmail account password is as weak as hell and I don't give a shit.

Do you know why? It's because it's just a fucking hotmail account. Not the keys to my front door.

0
0

How accurate is the list?

Assuming that not all of the passwords were checked before being posted, what makes anyone think that they are real? I've given fake information to phishers for a lark myself.

Hi. My name is Ima Lamer. My email is abuse@yourregistrar.com. My password is eatshitanddieyoulamer. &etc.

0
0
Stop

Probably one of those sites...

...that says, 'See if any of your friends are already on here/using XYZ by giving us your hotmail/gmail/etc login details to check.

Seriously, who in their right mind, trusts any site with such details? If someone really wants to find this out so badly, they should type them out one by one or if skilled enough, write a program to do this for them. But anyone skilled enough to do that would probably be clever enough to realise what a waste of time and effort it would all be anyway.

Thing is these sort of requests for login details are 2 a penny on almost every social networking or general time-consuming site that's out there and for the general population, having this sort of social site currency is so important, they must take the risk anytime they see such a form. :(

0
0
Stop

Coded passwords

I've been writing down my passwords for years, but only in coded form. Just a hint to remind me which of the 5 or so passwords I use for the 20+ accounts I need to remember, never the full password. Not ideal, but the information is no use to anyone if stolen, and is a manageable number that my brain can cope with.

Putting full passwords in your wallet isn't clever. That's traditionally something that is more likely to get stolen from you than anything else!

0
0

@Antony

I thought the same thing, if you don't know your password then you can't change it.

If you know your password, why write it down at all.

I like the old postcode idea, might use that one. erm then again, might not ;)

0
0
Boffin

Passwords

I generally use passwords on multiple sites because otherwise I'd have no way of remembering them.

BUT

I take precautions such that general purpose websites have one password, email has another and banking/paypal/etc have completely independant ones.

So I only have to remember half a dozen passwords for every site I've ever signed up to; and I maintain degrees of seperation from important info!

0
0
Alert

Go phish

I've kept my hotmail account for many years, mostly for endeavors I think are likely to promulgate my address. But I never use the web to check it and I'm not happy to be lumped into a phishing victim category!! My login was compromised (I have seen the bogus emails sent) and they got that information some other way. Not to mention that a message from the service provider would have been a better way to find out about it then complaints and failures from my 7-year old online contact list.

0
0

if your passwrod is "123456"

then your account isn't worth stealing anyway.

What are the scammers going to do with the hotmail login details for 10,000 larger louts and dole dossers?

Yeah there's BIG MONEY to be had pillaging their overdrawn bank accounts.

/now that's sarcasm.

0
0
Anonymous Coward

Employer insists on weak password

My partner's employer insists that laptops do not belong to particular members of staff, but can be used interchangeably by anybody, and therefore the password MUST be "password".

Seriously - hence the AC. Any advice on shifting this degree of stupidity would be appreciated.

0
0
Anonymous Coward

Re. So What?

"My Hotmail account password is as weak as hell and I don't give a shit. Do you know why? It's because it's just a fucking hotmail account. Not the keys to my front door."

Well, if you say so swearing person.

Others may beg to differ and keep rather more info in it than spam and, in your case, e-mails probably containing naughty words. That you don't is neither here nor there. Not everyone is obviously as brilliant as you. Well done and keep it up.

0
0

My password is simple

I use the same one for everything and I have had no trouble at all. Even if someone guessed my password it would make no difference as I am not stupid enough to put any real info online.

0
0
FAIL

Slightly OT, but....

...it still amazes me the number of organisations, including banks, that won't let me use non-alphanumeric characters in my password i.e. !"£$%^&*() etc.

Hell, even equifax, who are supposed to be guardians of all my credit data won't let me do this. That's a serious WTF.

0
0
FAIL

What kind of idiot system

What kind of idiot system accepts a password like 123456 anyway?

0
0
Coffee/keyboard

Passed Words

Neil O'Neill? I wonder what his middle name is

Probably the same as his passwords

0
0
Joke

I'm always careful

I exercise extreme caution when choosing and using passwords.

Right now, my current password for some of my accounts is 123456querty

I find this particular mixture of numbers and letters would thwart most hackers.

You'll see I've used the most popular password, but with a bit of a cunning plan, I bolted some letters onto the end. You just have to know how to play them at thier own game really, it's that simple.

I may switch to using my current postcode - SW183QX, that's a good one, or my mobile number, 07831243321 - they'd never get that. I suppose using parts of my name, Matt Finley Dawson, could work fine too. Or maybe my bank account number? - 894341243

It's suprises me how silly people can be with this kind of sensitive data.

0
0

Um...

How 'bout we recognize that passwords alone are the equivelant of just weak padlocks and it doesn't matter how fancy you make them today?

What will be truly great is once one of these major sites has it's password database stolen, and a massive rainbow table attack is run against it using distributed computing (think: zombie network).

Most stuff online just needs a really simple, weak password to keep the honest folks out. Keep the more complex ones for where you actually need high security.

Anything needing truly high security we need systems better then passwords. Tokens, password protected keys, or the ability to authenticate transactions by out-of-bandwidth means -- i.e. you do an online banking transaction, your cell phone gets an SMS with a authorization code you then type into the website to authenticate the transaction.

0
0
Gold badge
Coat

@ My password is simple

No it isn't. I even tried it in uppercase: "SIMPLE".

I use ****** myself, at least I can still read that when I type it in..

:-)

0
0
Stop

Phishing Scam?

My wife had her hotmail account hacked NOT through a phishing scam but by someone inside a UK based E-commerce site.

She ordered t-shirts printed for her mates "hen do" from the cheapest online t-shirt place. A week after recieving the shirts in good order suddenly she was sending all of her contacts e-mails saying how great and cheap the t-shirt printers was. Only she hadn't sent any of them.

It was obvious that she had her account used to push out spam for the company she ordered with. She had used the same password for the e-commerce site as for her email, which she obviously entered into the site as well.

So, I think it is very possible that these are not specifically people falling for a dedicated phishing ring but frighteningly by apparently genuine businesses. I only hope to god that we don't get a credit card bill through for lots more t-shirts.

0
0
Coat

@Matt 89

Is this some kind of hoax? I tried to ring you to get your pin number so I could keep it safe, and you didn't answer.

I've got £5,000,000 I need to get out of the country, because my grandad died in a fishing incident organised by the government.

0
0
WTF?

How accurate is the list?

That's a good one, @Dan 21. My favourite food to feed the phishers is the data for good, old William Edward Goat (who usually goes by his nick-name). :-) So, since he's a adolescent male, I wonder if his ID (goatsex) has shown up in any of the lists? ;-)

0
0
Silver badge

Sometimes it's not the users

I always try and make my passwords adhere to the three out of four requirements - where the four are upper case, lower case, numbers, symbols, but it isn't helped when some companies, e.g. Blizzard, don't allow most symbols, and don't distinguish between upper and lower case.

It's not just the users, sometimes the hosts it hard to get secure passwords.

0
0
Bronze badge

@ Employer insists on weak password

1. Download sensitive client data onto laptop

2. "Lose" laptop. 815 to Waterloo seems to be popular

3. Post sensitive data on Wikileaks

4. Call journalist with scoop. Describe security routine. Name boss.

That should do it.

0
0
Joke

12345?

That's the same combination on my luggage!

0
0
FAIL

@What kind of idiot system

Worse still, it allows a 1 character password!

0
0
WTF?

@AC Employer insists on weak passwords

Check your employer's IT acceptable use policy, if (like mine) it describes password sharing as a disciplinary offence then complain to corporate security.

0
0
Silver badge
Troll

remembering passwords..

does anyone remember the old Lloyds advert (for something) that had a telephone number of 0800 71723 ?

That's how you remember a password :D

0
0

-> Employer insists on weak password #

Can't they use their individual domain credentials?

Steve

0
0
Anonymous Coward

Employer insists on weak password

Thanks to Anomalous Cowherd for advice on how to get the sack, but I am already helping another friend with this kind of situation.

The employer in question is in the public sector and any "sensitive data" would harm innocent people.

I was looking for a guide to computer security aimed at a level of computer illiteracy that is probably beyond the comprehension of any El Reg reader - maybe I should ask Sun readers for their advice instead.

0
0
Silver badge

Stupidity will always win

Some people simply CAN'T be educated, no matter what you do.

Personally I memorise just two complex passwords. One is my bank account. The other is the encrypted section of my 'pooter. All the others (along with my documents etc.) are stored there. Exactly where I will need them.

If anyone can get at those then I need to have words with a certain Mr Zimmermann!

P.S.

Yes I do keep an identically encrypted backup 'off-site'.

0
0
Coat

AC?

AC wrote:

"1. Download sensitive client data onto laptop

2. "Lose" laptop. 815 to Waterloo seems to be popular

3. Post sensitive data on Wikileaks

4. Call journalist with scoop. Describe security routine. Name boss.

That should do it."

You are Simon Travaglia, and I claim my 5 pounds....

0
0
Badgers

Keyboard Patterns

keyboard patterns work well. Like 1793zqpm which is the four corners of the key number pad and four corners of the alphabet keyboard.. They are easy to remember. There is no particular pattern from a computational standpoint.

But then, I'm dirt poor and my life doesn't amount to much so no one really cares a hoot about me anyways. I'm really just not significant enough to be hacked.

0
0
Anonymous Coward

Worse & worse

I have to agree with comments posted about lots of places not allowing decent secure passwords with special chars.

I currently work for a major oil company, who have recently rolled out a special password system. It basically synchronises all your different passwords so they are the same, and because of the limitations of one of the legacy systems it cant allow more than 8 digits or any special chars etc. We are limited to an 8 char alphanumeric. It HAS to be 8 chars long (ok I guess it stops you having a silly short password).

To make matters worse there is now an option to reset your password on the log in screen, where all you have to answer are 4 pre defined questions 'mothers maiden name' etc.

Some systems I've used insist that you cant have a numerical for the first digit (making even less brute force required).

It's sad that many banking sites etc are also limited by this kind of short-sitedness when it comes to programming their security.

Some of us actually want to try to use secure passwords, but often I find that I have a great system for remembering a complex password only to be told my password isn't acceptable. I'm then forced to invent a new system of remembering the password which I then completely forget!

0
0
Anonymous Coward

Passwords suck

Why are people so derisive of people who use easy to crack passwords?

You can't blame them in my view.

The internet needs a single, standard password system.

At the moment we have:

• non-case sensitive

• case sensitive

• minimum of 5 characters

• minimum of 6 characters

• maximum of 9 characters

• must include 1 number

• must include 2 numbers

• numeric only

• letters only

• pre-determined numbers for banking

I have 4 related passwords for whichever type of password the site requires from the list above. It's the only way it's possible to remember.

The problem is that we've been told never to write them down, but it's impossible to remember 30 sites that require passwords other than keep the same, or similar ones for each site. And unless they are easy to remember, you've no chance.

0
0
Dead Vulture

no shit

people who are foolish enough to be duped by a simple phishing scam have weak passwords.

0
0
Paris Hilton

My Method Of PW Recall.

I was going to post it, but thought better of it.

PH because her defences are pretty weak.

0
0
J 3
Paris Hilton

@Password in wallet

Well, you'd reset them the same way you reset forgotten passwords now, I suppose?

Although it is sure true that the bank would love to hear that you kept the bank/credit cards together with the written passwords...

A system that works well for me is using the first (or second, or third, etc) letters of each word from part of a song/book passage/poem/motto/whatever, substituting some character for others (e.g. 3 for an e, 1 for either i or L or even the whole word "one", etc.). That way you end up with something that "looks random", but that has meaning to you. Then your password reminder could be something like "Douglas Adams" or "SRV", and good luck to anyone who'd try to guess which part from which book/song (and using which scheme) you are using there.

WWPD?

0
0
Megaphone

Obscure song lyrics

generally work for me, the more obscure the lyric (but particularly well remembered by me have bawled them out along to the band responsible for them countless times) the better

Shouty icon, cos I'll happily shout my passwords during the song they come from

0
0

Brute forcing

So given the data analysed from above, there is an almost 1% chance of guessing the persons password in 3 attempts by going down the list. (100*93/9843)

More if you assume a country of origin.

0
0
Anonymous Coward

the other side of the coin

I work at a US government agency that insisted on requiring highly secure passwords for foreign companies to register with them. Many of these are non-English speaking; the information is almost all publicly available to start with (Company name, address, phone, etc.); and then they are required to change the PW every 90 days, even though most of them will probably only log into the account once every few years when an item of the above info changes (new phone, new company HQ, etc.).

0
0

Page:

This topic is closed for new posts.

Forums