The Hotmail hack attack this week has laid bare the woeful password choices of web users, as reports emerged that up to 1 million web email accounts could have been compromised.
The most common password was "123456", while many users had names or dates of birth - all easy pickings for the determined password cracker.
Password security was thrown into the spotlight this week after it was revealed that 10,000 Hotmail user names and passwords had been leaked online. A day later, a separate list of 20,000 addresses and passwords for Gmail, Yahoo and AOL were found on the web.
The size of the lists, one of which contains only email addresses beginning with A and B, have led security experts to fear that thousands more accounts have been compromised.
Hackers frequently target email accounts because from there they can obtain passwords to other more important accounts such as internet banking. Often, the same password is used for multiple online accounts.
Hijacked email addresses are also used to conduct spam campaigns and targeted phishing attacks on the victim's contacts. Security firm Websense reported that some of the addresses compromised this week were already being used for this purpose.
A security researcher was able to obtain the list of 10,000 Hotmail account details before it was removed from the web and found the passwords used were alarmingly simple.
Bogdan Calin, of Acunetix, found "123456" and "123456789" were the most common, appearing 82 times, while 12345678, 1234567 and 111111 also appeared in the top 10.
Furthermore, 42 per cent of the passwords used only lower case letters from a to z. Just 6 per cent mixed letters and numbers.
The longest password was 30 characters - lafaroleratropezoooooooooooooo - but this still evidently did not prevent the user's account from being hacked. The shortest password was one character: ")".
"A big majority of users still use very poor passwords," Calin concluded.
Security experts say people should always use a combination of letters and numbers in their passwords and avoid those that are easily guessed such as names, dates of birth or words from the dictionary.
F-Secure is even advising people to write down their passwords and put them in their wallets, arguing that people use weak passwords because they can't remember strong ones.
Neil O'Neil, a digital forensics investigator at The Logic Group told Computerworld the security breach was likely to spread even further.
"Making the breach public so soon after the attack occurred has allowed unethical hackers to access the passwords very easily, even though they were deleted a couple of days ago at the request of Microsoft," he said.
"The list went through A and B, so you would think whoever released these has more. And if you do the maths, they could have more than a million passwords."
The BBC reported that Google is already aware of a third list, but it is not clear how many names are on it:
http://news.bbc.co.uk/2/hi/technology/8294714.stmUsers of web email accounts are being advised to change their passwords immediately.
(Stuff)