Phished or not, leaked passwords show lazy habits

It's still unclear exactly how 20,000 passwords discovered on the Web recently were stolen, but the finding reveals much in the way of people's password habits: some of us are lazy.

Several lists of passwords from Hotmail, Gmail, Yahoo Mail, and other accounts were discovered and reported on earlier in the week. While, Microsoft, Google, and Yahoo are blaming phishing, a researcher at ScanSafe thinks password-stealing malware on computers could be the culprit, which would mean that more than just the Web e-mail accounts may have been compromised.

More on that later. First, let's look at what an analysis of the leaked passwords reveals.

Security researcher Bogdan Calin did a statistical analysis of the list of more than 10,000 Windows Live Hotmail passwords and wrote about his findings on the Acunetix blog. He discovered that the most common password was "123456", used for 64 of the passwords. In second place was "123456789", used for 18 of them. Also, 42 percent of the passwords used only lower case letters.

While that shows some people aren't exercising caution in securing their e-mail accounts, other statistics reveal that many people are putting more thought into it.

For instance, 30 percent used a combination of upper-and lower-case numbers and letters. Twenty-two percent of the passwords used six characters, 14 percent used seven, 21 percent used eight, and 12 percent used nine characters. One account even had a password that was 30 characters long.

"My impression is that these passwords have been gathered using phishing kits," Calin wrote. "Even more, the phishing kit used most probably was badly designed, since it was one that didn't further authenticate the users to the Hotmail/Live Web site. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."

Mary Landesman, senior security researcher at ScanSafe, theorized that passwords were obtained by a data-stealing Trojan horse and not phishing.

There are errors in the list of Hotmail passwords that appear to be the result of improper extracting or merging data, she wrote on the ScanSafe blog.

Among other reasons, Landesman noted that usernames often appear multiple times with the same password except for a slightly different spelling. Also, she said the "@" separating the username from the account is not always present, which could indicate that the data was pieced together from a form or was extracted from a larger set of data.

Asked to comment on Landesman's speculation, Microsoft and Yahoo spokespeople said the companies still think the passwords were phished.

A Google spokesman offered this comment: "Passwords can be compromised in multiple ways, so it's a good idea to take several steps to help protect your personal information. Select unique passwords, especially on your most important Web sites, and use antivirus software to help detect software that may try to steal your password."

It's important to remember that phishing can lead to the download of malware onto a victim's computer. So people may never been known what happened.

Regardless, be careful out there.

This article was first published as a blog post on CNET News.