Data from the latest Hotmail phishing attack indicates that many users do not take security seriously and use weak passwords.
In the phishing attack more than 10,000 hotmail accounts were hacked and their passwords displayed on PasteBin.com. The most common password was “123456″. Traditionally, the most common password is “password” itself!
Among the 10,000 passwords that were posted, “123456″ appeared 64 times. The second most popular password was “123456789″ which appeared 18 times.
After the passwords were posted on PasteBin.com, the list was deleted as soon as it was discovered. However, hackers can still retrieve the list using search engine caches and possible mirror websites.
In the phishing attack, users were enticed to reveal their credentials on a fake web site that looked remarked similar to Hotmail.com.
Users commonly use their date of birth as their password. The data posted on PasteBin.com indicates this to be a very common practice. This should be avoided as it is very easy to guess.
Most of the usernames and passwords in the list contain Spanish words and names. This is indicative that the data was harvested at least in part from a Spanish language phishing message.
Other common passwords in the list include iloveyou and tequiero, which has the same meaning in Spanish. Security experts believe that the list posted online to demonstrate the hackers’ skills.
Many users often use the same password on multiple websites. This makes their other accounts particularly vulnerable. If one account gets hacked, the hacker will be access all other accounts–including PayPal and bank accounts. For this reason, it is advisable to use different passwords for different accounts.
It is time to reconsider the traditional advice on how to choose passwords. Earlier, it was said that the best way to stay safe is to never write the password down. Now it advisable to use a long complex password that include small case, upper case letters, numbers and other symbols, and then write part of it down and store in your wallet.
If the wallet gets stolen, the person will still not be able to break the password as it is not complete. Three initials of the name or postal code in the beginning or end will do the trick.
There are reports that a second dump of at least 30,000 email credentials has also been posted on PasteBin.com. The list contains credentials of Gmail and Yahoomail accounts as well.