Following the recent phishing attack on Hotmail accounts, a security researcher at Acunetix has published an interesting analysis of the passwords themselves.
The password list presents an interesting insight into the password selection habits of Hotmail users (and by extension, the wider public).
Of the 10,028 passwords in the initial list, 9,843 remained after cleaning; 8,931 of them being unique.
Disturbingly, 2,036 (23%) of the passwords were six characters or less: a password length which, according to AusCERT, can be cracked in 2.5 hours or less. AusCERT recommends a password length of at least eight characters; a password length which will take up to a year to crack.
Even more disturbingly:
- 42% contained only lower-case alpha characters
- 19% contained only numeric characters
Good password selection is a prerequisite for good online security. Further guidance on password selection is provided here.