Phished or not, leaked passwords show lazy habits

It's still unclear exactly how 20,000 passwords discovered on the Web recently were stolen, but the finding reveals much in the way of people's password habits: some of us are lazy.

Several lists of passwords from Hotmail, Gmail, Yahoo Mail, and other accounts were discovered and reported on earlier in the week. While, Microsoft, Google, and Yahoo are blaming phishing, a researcher at ScanSafe thinks password-stealing malware on computers could be the culprit, which would mean that more than just the Web e-mail accounts may have been compromised.

More on that later. First, let's look at what an analysis of the leaked passwords reveals.

Security researcher Bogdan Calin did a statistical analysis of the list of more than 10,000 Windows Live Hotmail passwords and wrote about his findings on the Acunetix blog. He discovered that the most common password was "123456," used for 64 of the passwords. In second place was "123456789," used for 18 of them. Also, 42 percent of the passwords used only lower case letters.

While that shows some people aren't exercising caution in securing their e-mail accounts, other statistics reveal that many people are putting more thought into it.

For instance, 30 percent used a combination of upper- and lower-case letters and numbers. Twenty-two percent of the passwords used six characters, 14 percent used seven, 21 percent used eight, and 12 percent used nine characters. One account even had a password that was 30 characters long.

"My impression is that these passwords have been gathered using phishing kits," Calin writes. "Even more, the phishing kit used most probably was badly designed, since it was one that didn't further authenticate the users to the Hotmail/Live Web site. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."

Mary Landesman, senior security researcher at ScanSafe, theorizes that passwords were obtained by a data-stealing Trojan horse and not phishing.

There are errors in the list of Hotmail passwords that appear to be the result of improper extracting or merging data, she writes on the ScanSafe blog.

Among other reasons, Landesman notes that usernames often appear multiple times with the same password except for a slightly different spelling. Also, she said the "@" separating the username from the account is not always present, which could indicate that the data was pieced together from a form or was extracted from a larger set of data.

Asked to comment on Landesman's speculation, Microsoft and Yahoo spokespeople said the companies still think the passwords were phished.

A Google spokesman offered this comment: "Passwords can be compromised in multiple ways, so it's a good idea to take several steps to help protect your personal information. Select unique passwords, especially on your most important Web sites, and use antivirus software to help detect software that may try to steal your password."

It's important to remember that phishing can lead to the download of malware onto a victim's computer. So people may never been known what happened.

Source: CNET

Tags: Internet

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

A mobile hotspot in Australia will be capable of hitting gigabit speeds on the go
A new game could be in the works as Blizzard appears to have been hiring for a Diablo-related project
Nokia CEO Rajeev Suri will speak at MWC 2017
However what if you could go way, way back?
The Helio P15 packs an octa-core Cortex-A53 processor clocked at 2.2GHz
Samsung claims up to 27-percent higher performance or 40-percent lower power
Preliminary data for October shows another Windows 10 boom
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
HP Slate 7 is a 7-inch Android 4 Tablet PC with good sound
A cost-effective, 7-inch tablet PC from a renowned manufacturer
October 25, 2013 / 4

News Archive



Do you use microSD card with your phone?
or leave your own version in comments