Saturday, October 17, 2009

Analysis of 10k Hotmail Passwords Part 2

There's been a lot of discussion and analysis of this list on various other sites over the last week. That's actually why I'm so interested in it. It isn't the size. Ten thousand passwords aren't that hard to come across on the net, (as scary as that is). The nice thing though is this password list is becoming sort of a common data-set anyone can work on. This keeps us researchers honest, (If I mess up my analysis someone can easily call me on it), and it gives us a way test competing password cracking techniques in a public environment.

First off, I'd like to give Google, E-Bay, and Facebook credit for how they handled this. All three sites suspended user accounts which appeared on the list, (and in the additional 20k list which I'll get to in a second), pending user verification. I don't know the amount of hoops that a user will have to go through to reactivate their accounts, but this step was necessary to protect them. Unfortunately, according to this writeup, Microsoft didn't lock several of the Swedish Hotmail accounts that appeared in the 20k list, (perhaps international .live accounts are handled by a different internal group in Microsoft), and Yahoo did an even worse job. Oh, and apparently the Yahoo accounts were filled with password reset messages, as thieves used the yahoo accounts to compromise other online accounts belonging to those users.

As to the additional 20k list, I finally managed to grab a hold of it. Looking through it, it's fairly obvious that the list was collected via a different attack, and probably was posted online by a different hacker. It just happened to be another list that was posted around the same time on pastebin. I'm going to delay doing analysis of it for now, and focus on the Hotmail list to keep things simple. Later on, once I figure out what tests/analysis proves to be the most useful to people, I'll run them on the 20k list and perhaps show some head-to-head comparisons with the Hotmail,, webhosting talk, myspace, etc lists.

So on to the analysis. As promised, here is a graphical breakdown of the password lengths, with the longest password being 30 characters long, (though that looks like it may have been a typo by the user, since they typed their password in three times with a varying degree of 'o's after it. The actual password was probably 17 characters long). On a side note, I really should put all of this in a pdf whitepaper, since the graphs are fairly hard to read here.

As you can sort of see, (once again, I'm sorry about the blurriness and size), 80% of the passwords fell between 6 and 10 characters long. Manually looking at the invalid passwords, (the ones which were blank and/or less than six characters long), I saw that most of the e-mail addresses associated with them also had an entry containing a valid password, (at least six characters long). I didn't check the whole list, (I do sometimes try to have a life), but I saw 50 invalid passwords that matched a valid username/password combo, and 31 examples where I couldn't match an invalid login attempt to a valid username/password. The 31 unmatched invalid username/password combos almost certainly overstates the case, since for most of those they might have also typed their username in wrong as well. Aka the username listed could be '', but while there were no other login attempts with '' there would be several accounts for '', '', etc. I also saw similar results for people who typed in their e-mail address wrong, (such a All this is just a longer way of saying that there probably was some form of authentication in the collection of this password list. Either they were collected via a keystroke logger, or the phishing site attempted to log into Microsoft's servers using the entered credentials and presented the results to the user.

So the next question is how would these passwords fare in a real password cracking attack? Well, it's late and I need to get some sleep so that will have to wait till part 3 of this writeup.

No comments: