Hacked Hotmail accounts used weak passwords

The majority of passwords revealed in the recent Hotmail phishing attack would not have taken much cracking in the first place, according to a researcher at security firm Acunetix.

Bogdan Calin said in a blog post that an analysis of the phishing attack and the hacked accounts revealed that the most common password was '123456'.

The details of some 10,000 Windows Live Hotmail accounts were posted online by an anonymous hacker earlier this week, and Calin suspects that it was rather a crude attack that managed to grab just low-hanging passwords.

"My impression is that these passwords have been gathered using phishing kits. Even more, the phishing kit used most probably was badly designed. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalisation)," he wrote.

"What most probably happened is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."

Calin found that the most popular passwords were rather similar, and that the majority were made up of alphanumeric combinations, as opposed to the often recommended letter/number/symbol combinations. Sixty-four accounts used '123456', and the second most common was '123456789' with 18 users.

Forty-two percent of users stuck with lower case alpha passwords containing only characters from 'a' to 'z', and 19 percent used numeric passwords containing only the numbers '0' to '9'. Just six per cent used mixed passwords containing letters, numbers and other characters.