Wednesday, October 7, 2009

Analysis of Hotmail Passwords by Other People

As the title implies, there have been a few other people who have commented on this dataset.

Link:
Comments:
At first I was a bit worried because their numbers didn't match up with mine. It wasn't until later that I realized all of their analysis was only on unique passwords. Aka if three people used the password "monkey123," they would only use that password once when generating their statistics. I disagree with some of their conclusions, but it's certainly worth a read since I can be wrong.

Link:
Comments:
The above post was written as a response to Acunetix's analysis, and I think it brings up some good points on how we need to stop blaming the user for not having some 14 character complex password for every single website they go to. There are some details that once again I don't fully agree with, (I'm much more accepting of people writing their passwords down), but it's a good read. I completely agree that the most important thing is to have three classes of passwords, one that you use everywhere, one for medium sensitive sites, (such as Facebook), and (at least) one strong password for your e-mail and online banking. The simple fact is that phishing and password disclosure, (such as one of the sites being hacked), is a much bigger danger to users then password cracking attacks.

Link:
Comments:
This one is in Russian, (You can use Babblefish if you want), and it's quite good. It has some excellent graphs. In fact, I'm probably going to steal his idea and make some graphs of my own in a followup post since they convey the information a lot better than raw numbers. Another nice thing he did was exclude all the invalid passwords, (such as passwords that didn't meet hotmail's password creation policy), in his analysis. The best graph was him comparing the hotmail passwords to two other Russian password datasets. In short, this was a really good writeup.

1 comment:

Steve said...

The Google translation of the Russian writeup is informative, even though the text in the charts remains inscrutable. A linked article indicates that more than half of published Russian passwords are purely numeric.