Tech – for Everyone

Tech Tips and Tricks & Advice – written in plain English.

Phishing Lessons, Hotmail Style

If you watch the news, read the papers, and/or peruse tech Web sites, you will be aware of a recent “news item” that thousands of people’s Hotmail login credentials had been stolen in a “phishing scam” and posted on the Internet. Just shy of 10,000 of them…

You may also be aware that Hotmail was not the only target of this scam (see Yahoo, Gmail passwords also phished in far-reaching scam).

But you might not be aware of the analysis that security researchers have done in the aftermath of this “incident”, and some of the conclusions they have come to. That is what I found interested, and followed up on.

Lesson 1:
The research found that the most common password used was “123456”.

All I can say is, I am not surprised. What I really want to say is not fit to print.

The next most popular user password was, “123456789”.

People — this is not good. Passwords are the primary means to prevent unauthorized access. Put a simpler way, a password keeps Joe Criminal from reading your e-mail (and sending a letter to your boss telling said boss to go fly a kite).. or transferring your saving account balance into his.

123456 is the world’s worst password (“password” is no good either), and if you did not know that, please read A Word About Words — Passwords, That Is and find out what you need to know about passwords. Pretty please with sugar on top?

Copyright 2007-9 © Tech Paul. All rights reserved.jaanix post to jaanix

Share this post :

October 15, 2009 - Posted by | advice, computers, cyber crime, e-mail, hackers, Internet, Internet scam, News, Phishing | , , , , ,


  1. Use both lower case and UPPER case, along with a number and a symbol on your number bar by using shift to get things like $%^&*() and the such. Don’t keep your passwords in a text file. If you must put them in a master list but encrypted. Also, don’t post stickynotes on the side of your computer screen, this is how a lot of company fraud happens through compromised accounts.


    Comment by Kloplop321 | October 15, 2009 | Reply

    • Kloplop321,
      All good points. Thank you.


      Comment by techpaul | October 15, 2009 | Reply

  2. I hate the phishing emails they seem to get more determined by the day I get two or three on a daily basis and submit them to phishtrackers a web site I recently found which allows you to report them anonymously.


    Comment by Selma Sublett | May 19, 2010 | Reply

  3. Selma,
    I prefer to simply delete them, as the mere act of opening them often will ‘validate’ your email address, and you will get more.

    Consider these two facts: your ISP manages to block 90 – 95% of spam/phishing before it gets to you (so your 2 or 3 is actually 180+/day.
    90% (or more) of the ‘packets’ traveling the Internet at any given moment is spam. Think of all the electricity used to move those 1’s and 0’s.. and 90%+ of it is garbage.

    Maybe it’s time we humans did something about cybercrime? (Are you listening, Cyber Czar?)


    Comment by techpaul | May 19, 2010 | Reply

  4. If i am not mistaken, you can also use spaces as a character’s in certain instances


    Comment by Gus | September 29, 2016 | Reply

    • Gus,
      I was rather surprised to see a new comment on an article this old…

      What is allowed is (generally speaking) entirely up to the website administrator. Also generally speaking, a ‘space’ is not recognized/allowed.


      Comment by techpaul | September 29, 2016 | Reply

  5. dont know how i ended up on an old article myself but that seems to be happening to me more times than not as of late. Anyway, i do know that a ‘space’ IS allowed for a login password and has been quite helpful, ie., a simple phrase, name/lyric to a song, a quote or part of one, ie., “do or do not”; (w/o””,) your reminder word would be “Yoda”. You CAN do this for a login passwords.


    Comment by Gus | September 30, 2016 | Reply

    • Gus,
      Passphrases are much stronger than “words”; and where the admin allows spaces, that’s great. Where the admin does not, one could make a practice of substituting underscores or hyphens (if allowed) so it becomes “do_or_do_not”. And if hyphens/underscores are not allowed, just “doordonot”.

      Any of those would be 100 times better than “12345678”.

      I would further suggest, since those are ‘dictionary words’, swapping a zero (0) for the oh (o) — “d00rd0n0t” would be much stronger against a “brute force” (“guessing”) attack.


      Comment by techpaul | October 1, 2016 | Reply

Post your Comment/Question

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: