Password analysis from 10,000 leaked Hotmail passwords
Wednesday, October 07, 2009

On 5th October theregister reported more than 10,000 password were leaked mysteriously on pastebin.com. See this tweet

As a followup study "Acunetix Web Application Security Blog" did an analysis on the kind of password people use.

Some interesting findings are as follows-


Statistics:
  • The list initially contained 10,028 entries.
  • There are 8931 (90%) unique passwords in the list.
  • The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
  • The shortest password was 1 char long : )

Top 20 most common passwords:

  1. 123456 - 64 times
  2. 123456789 - 18 times
  3. alejandra - 11 times
  4. 111111 - 10 times
  5. alberto - 9 times
  6. tequiero - 9 times
  7. alejandro - 9 times
  8. 12345678 - 9 times
  9. 1234567 - 8 times
  10. estrella - 7 times
  11. iloveyou - 7 times
  12. daniel - 7 times
  13. 000000 - 7 times
  14. roberto - 7 times
  15. 654321 - 6 times
  16. bonita - 6 times
  17. sebastian - 6 times
  18. beatriz - 6 times
  19. mariposa - 5 times
  20. america - 5 times

Password length distribution:

  • 1 chars – 2 – 0 %
  • 2 chars – 4 – 0 %
  • 3 chars – 4 – 0 %
  • 4 chars – 31 – 0 %
  • 5 chars – 49 – 1 %
  • 6 chars – 1946 – 22 %
  • 7 chars – 1254 – 14 %
  • 8 chars – 1838 – 21 %
  • 9 chars – 1091 – 12 %
  • 10 chars – 772 – 9 %
  • 11 chars – 527 – 6 %
  • 12 chars – 431 – 5 %
  • 13 chars – 290 – 3 %
  • 14 chars – 219 – 2 %
  • 15 chars – 157 – 2 %
  • 16 chars – 190 – 2 %
  • 17 chars – 56 – 1 %
  • 18 chars – 17 – 0 %
  • 19 chars – 7 – 0 %
  • 20 chars – 14 – 0 %
  • 21 chars – 10 – 0 %
  • 22 chars – 8 – 0 %
  • 23 chars – 3 – 0 %
  • 24 chars – 3 – 0 %
  • 25 chars – 3 – 0 %
  • 26 chars – 0 – 0 %
  • 27 chars – 3 – 0 %
  • 28 chars – 0 – 0 %
  • 29 chars – 1 – 0 %
  • 30 chars – 1 – 0 %

What kind of passwords were in the list? :

  • 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
    Example : iloveyou
  • 291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
    Example: ILoveYou
  • 1707 = 19 %; numeric passwords: passwords containing only numbers (’0′ to ‘9′)
    Example: 123456
  • 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-'z’, ‘A’-'Z’ and ‘0′-’9′.
    Example: Iloveyou12
  • 565 = 6 %; mixed alpha + numeric + other characters.
    Example: 1Love You$%@

Really wonderful analysis. Loved the way people think & care about their passwords

tags:

ByRohit Srivastwa
at10:44 PM

0 comments

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)