Wednesday, October 7, 2009

Webmail accounts at risk

The phishing attack that has affected several webmail services reveals a majority of passwords are not robust.

Last week, a listing of over 10 000 Windows Live Hotmail accounts with addresses and passwords have been published on the Web. Microsoft has confirmed a phishing attack that has apparently functioned with users. This publication has continued with the affected Gmail or Yahoo! Mail.

For this major attack, passwords were not broken but the analysis of the first listing may give cold sweats to some proponents of computer security that focus heavily on the choice of a sesame robust and unique, if possible to renew every three months.

A researcher of Acunetix conducted a quick statistical analysis of passwords used for Hotmail accounts, MSN and Live.com to compromise and from most of Europe. For 42% of users successfully phished, passwords were composed solely of lowercase letters. For 19%, the password contained only one set of numbers, and thus the password with the most instances has been the most banal 123456 (64 times), followed 123456789.

3% of the passwords used a mixture of uppercase and lowercase, and 30% a mixture of letters and numbers. Finally, only 6% of passwords are a mix of alphanumeric characters and non-alphanumeric characters, the type of password is considered the most robust.

The length of passwords most commonly encountered was six (22%) or eight characters (21%). The password shortest contained a single character and the longest thirty: lafaroleratropezoooooooooooooo. Many passwords were Hispanic-sounding names. A phishing targeted users Hispanics?

No comments: