Earlier this week, over 30,000 email account names and passwords were anonymously posted on the Web. The credentials were compromised in an industry-wide phishing scheme that involved a slew of webmail services, including Hotmail, Gmail, Yahoo, AOL, Comcast, and Earthlink. Bogdan Calin managed to snag the initial list of 10,028 accounts, and used it to generate some interesting -- though, unsurprising -- statistics.
Calin noted that although the list began at 10,028 entries, after cleaning it up and removing accounts without passwords, 9,843 remained. Of those valid entries, 8,931 (90%) had unique passwords. The longest spanned 30 characters (lafaroleratropezoooooooooooooo), while the shortest was only a single character: ).
The most common password was "123456", which appeared on the list 64 times. The password "123456789" was listed 18 times, "alejandra" 11 times, "111111" 10 times, and "alberto" was used on 9 of the accounts. In addition to the first names and number sequences, passwords like "iloveyou" and "america" were also shown to be common.
Calin's statistics show the length distribution of passwords, as well as the types of characters most frequently used. The phishing attack and Calin's figures serve as a reminder that using six zeros as a password is both unsafe, and unoriginal.