All the latest UK technology news, reviews and analysis
|
|
|
07 Oct 2009
The majority of passwords revealed in the recent Hotmail phishing attack would not have taken much cracking in the first place, according to a researcher at security firm Acunetix.
Bogdan Calin said in a blog post that an analysis of the phishing attack and the hacked accounts revealed that the most common password was '123456'.
The details of some 10,000 Windows Live Hotmail accounts were posted online by an anonymous hacker earlier this week, and Calin suspects that it was rather a crude attack that managed to grab just low-hanging passwords.
"My impression is that these passwords have been gathered using phishing kits. Even more, the phishing kit used most probably was badly designed. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalisation)," he wrote.
"What most probably happened is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."
Calin found that the most popular passwords were rather similar, and that the majority were made up of alphanumeric combinations, as opposed to the often recommended letter/number/symbol combinations. Sixty-four accounts used '123456', and the second most common was '123456789' with 18 users.
Forty-two per cent of users stuck with lower case alpha passwords containing only characters from 'a' to 'z', and 19 per cent used numeric passwords containing only the numbers '0' to '9'. Just six per cent used mixed passwords containing letters, numbers and other characters.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
EU data protection overhaul contains "bureaucratic tick box-proposals", says information commissioner Christopher Graham in exclusive interview with V3
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Web C# ASP.NET Developer (Equity or Mutual Funds) London...
Senior Exploratory Tester - Selenium, Java, AJAX, WEB...
SQL DBA/ Data Architect (T-SQL, SSIS, ETL) - Derivatives...
Test Analyst (Web, QTP, Test Director, VB.NET, SQL...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Common Passwords?
18 out of 10,000 doesnt seem that common to me, the problem lies with uneducated people who are tricked into entering their details into an unknown website. Those of us who know how phising works would never put our details into a website as we immediatly spot the fake URL or discrepensies with layouts ect. I think the goverment should either run a campaign outlining simple checks that people can do, especially if these passwords then lead on to costing the banks money.
Posted by: Carl Dean 08 Oct 2009
Password strength irrelevant.
Surely the strength of the password is irrelevant if the user is giving it away in a phishing attack.
Posted by: James Shephard 08 Oct 2009