SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Weak Passwords Discovered in the 10,000 Disclosed Hotmail/Live.com/MSN leaked accounts

By now, hopefully everyone has heard of the security breach where accounts and passwords were found on a public site listed the account usernames and passwords of some 10,000 users. Initially it was just reported to be Hotmail/Live.com/MSN, but it turns out Yahoo!, Earthlink, GMail, and others were also affected. The attackers got at the information using phishing attacks, so it wasn't a breach of any of the sites themselves. Still, it meant someone was in possession of that account information, and that is in an issue for the folks affected. And since the list only had names starting with the letters A and B, there's surely a whole lot more than 10,000 affected.

Since the list was publically available, a security researcher was able to grab it before it was pulled offline. And what was found wasn't surprising, but it shows we still have a long way to go with respect to educating folks about online security. Here are some of the details the report contains:

  • The password "123456" was the most common, occuring 64 times.
  • Almost 2,000 of the 10,000 passwords were only 6 characters in length.
  • Most of the top 20 passwords were names (it happened that they were Spanish names, meaning the phishing attack likely targeted Spanish speaking-communities, but we can take from it that a lot of folks still use names as passwords.
  • Over 40% of the passwords only used lowercase characters.
  • 19% only used numbers

Passwords are still a necessary evil. And for some folks, that email account may have represented a "throw away" type of email address, but I suspect for a lot of folks, they just didn't know better with respect to doing a better job with passwords. Microsoft has published some good guidance to help with picking relatively strong passwords, and it's not hard to do. As for me? I like long passwords that are based on phrases that make sense to me with mixed case, special characters, and numeric characters as well. I know I'm paranoid about that stuff, but I have found that when I do that, it's not that difficult. In a lot of cases I just let my password vault generate a random password and use that for a given web site. But if it's somewhere that I'm going to need to log onto and I suspect I won't have my password vault, I'll follow my own algorithm. Here's how I might go about picking a password:

  • I can think of something related to the site or the activity. For instance, for SQL Server Central, I might think about something related to SQL Server. Let's go with, "I'm glad I'm not on SQL Server 6.5!"
  • I can use that as a starting point for a passphrase (when you use a phrase for the password): I'mgladI'mnotonSQLServer6.5!
  • We already have mixed case, numeric, and special characters in that passprase. But we could make still make it more complex.
  • Let's substitute the "o" character with the "#" character. That's not a standard substitution. That leaves us with: I'mgladI'mn#t#nSQLServer6.5!
  • And we're left with a 28 character password that has mixed case, numeric, and special characters. One that should be relatively easy to remember.
  • Now, if you didn't want to have to type 28 characters, you could shorten it to just the first characters (remember we've substituted the "o" with "#"), leaving the numbers intact: IgIn#SS6.5!
  • And you're still left with an 11 character mixed cased, numeric, special character password that should hopefully be easy to remember.

And on a side note, no, that's not my SQL Server Central password. While I can think of something related to the site or activity, I tend not to. I tend to think of something that usually makes no sense at all except to me and build from there. For instance, maybe something happened on SSC in the forums once that reminded me of Yosemite Sam. There hasn't been, to my knowledge, but if there had been, that may be what I initially derive my password from. If you know me and you know the site, you may assume I may connect something related, and you begin your attempts to brute force a password of mine, you're already going down the wrong path. So why do I recommend that folks start with something related? Because for folks who aren't used to generating "complex" passwords, it gives them a starting point which, if they follow the rules, the ending point will be so ambiguous that it doesn't matter much. Me? I'm just paranoid like that.



K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.


Posted by cherie j sheriff on 7 October 2009

I agree completely with having secure passwords, but many sites need to update their ability to handle strong password also.  AT&T doesn't allow use of special characters and I know some bank websites that are the same.  With corporations moving to use online banking too, maybe the banks will have to step up.  

Posted by nilima mandhane on 13 October 2009

I too agree with passwords to be strong enough. But in case of phishing attacks whether the password is strong or weak -attackers would get hold on the passwords...

Posted by Robert Morris-284360 on 13 October 2009

The problem with strong passwords is that people write them on post-its and stick them to their computers.  If you want to know someones password phone them and say you are from IT 99 times out of 100 they'll give it to you.

Posted by Gary Varga on 13 October 2009

Another problem I still come across are sites that store the passwords themselves (not the case here). I thought best practise was to store the hash and an indication of the hashing algorithm e.g. the salt value.

It is made worse sometimes by displaying the password in open text on a profile page that does not even require SSL.

Our industry is failing the users. We cannot expect users to behave better than the experts.

Posted by james.west-sadler on 13 October 2009

What do you guys think about the Security Expert Roger Thompson who suggested that we should write down our passwords?

See: blogs.pcmag.com/.../write_your_passwords_down.php

Posted by sjb500 on 13 October 2009

That's all very well but if you're an "Alzheimic" like me then anything beyond six characters is always going to be difficult to remember...especially when you multiply that by the number of different accounts you access. Roll on biometric sign on...

Posted by GRScow on 13 October 2009

I agree with the comment that the industry is failing users...

I store all of my passwords in my phone which has a security code to access.  I might have around 60 passwords, with other codes that sites ask for to validate (things like mother's maiden name).  This is patently ridiculous and of coure I need some sort of backup of my phone so loss of the phone doesn't leave me dead in the water.  The phone file must be password-secured, encrypted and backed up.  The phone should facilitate this of course.

This points to the need for a more universal access mechanism like your phone that connects wirelessly to any computer that you may be using to log in.  That phone, along with either a bio-scan or a single password (or both) should get you into any account that you create.  

Obviously, this should all be encrypted at every step of the way.  It wouldn't have to be your phone - it could be some sort of data dongle that stores all of your data, identity and passwords.   Why is your personal data only kept by others such as the doctors, lawyers, gov't, and accountants?

Gone should be data storgage on your computers themselves, everything you need about you resides on your phone/dongle.  All secure beyond secure.

He/She who wants to be the next Bill Gates should solve this technical, political and social puzzle and make the world a better (and more secure) place.

Posted by john.duke on 13 October 2009

Many sites still only allow passwords to be a max of 8 characters. At least one site I've logged in to "appears" to accept longer passwords, but is actually using the first 8 chars and discarding the remainder (without even telling you that is what is happening); so you think you've created a strong password, but maybe not -- if the upper case, special characters and numbers are all after the 8th position!

Posted by TSun TSu X on 13 October 2009

Some operating systems still only allow a 8 character max password for user logins.

Posted by david.stein on 13 October 2009

Good article Brian.  However, I think it's important to note that those findings are skewed because of the user base.  Those users who are more likely to give their passwords up to phishing attempts would also be the most likely to use simple passwords.  No?

Posted by Ben Langton on 13 October 2009

Nice article.  In my opinion, a complex password like "IgIn#SS6.5!" is not easy to remember, though.  Having to remember the entire thought process of how you arrived at the password in order to derive the actual password is inherently inefficient, when all you want to do is check your email.  I agree with GRScow that a new paradigm is needed.

When I don't use complex passwords, one of the main reasons is that they are literally painful to type.  I often use a pattern on the keyboard for my passwords.  Something that meets complexity rules, yet is easy to build muscle memory for, since frequent password changes are also an important element of security.

Posted by john.priest on 13 October 2009

Passwords and how to remember them have been an on-going debate as long as I have been in the industry (nearly 30yrs - no I can't remember when people chiseled them onto post-it rocks :-)

Like GRScow I have an electronic diary which has a secure area which contains all my passwords/pins, etc. I have a very strong password to that area which means I really only need to remember one password - though I can usually remember most of them (old timers hasn't struck yet).

Another method an workmate used was to pick countries in alphabetical order, then he would make the password the capital of that country. Another used the birthday of his wife - at least the one he 'remembered' when they first got married until his wife pointed out that he was seriously mistaken - it became something he remembered and if someone used his wife's real birthday (the actual one) then that would not work. He never divulged how far out he was just it was not the right day or month and the grief he got meant he never forget it or the real one ever again.

Posted by Shaik Munavvar Hussain on 15 October 2009

Yes, to avoid the hacking one must have to have the passwords in complex way.

Leave a Comment

Please register or log in to leave a comment.