An analysis of data collected by Rapid7’s RDP and SSH honeypots between September 10, 2021, and September 9, 2022, found tens of millions of connection attempts. The honeypots captured 215,894 unique IP source addresses and 512,002 unique passwords across RDP and SSH honeypots. Almost all the passwords (99.997%) can be found in rockyou2021.txt.
In 2009, Rockyou was hacked. The attackers found and stole 32 million cleartext user accounts. A subsequently exposed list of 14,341,564 passwords became the original rockyou.txt widely used in dictionary attacks and included with Kali Linux to aid penetration testing.
Over the following years additional password lists have been added to the original, culminating in the rockyou2021.txt collection now comprising about 8.4 billion passwords in a 92 GB text file. This is freely available on GitHub.
“We use the rockyou set as a source of passwords that attackers can trivially generate and try, to see if there is some evolution beyond the use of a password list,” explains Rapid7 in its Good Passwords for Bad Bots report (PDF).
That 99.99% of the passwords used to attack the Rapid7 honeypots can be found in this password list is probably an understatement. Only 14 of the 497,848 passwords used in the SSH attacks are not included in rockyou2021 – and each one of these include the IP address of the attacked honeypot. Rapid7 suggests this may be a programming error in the scanner being used by the attacker.
Only one password among those used to attack the RDP honeypots is not included in rockyou2021. This is ‘AuToLoG2019.09.25’, which was the thirteenth most used password. This is a little puzzling, but the report notes there are malware samples containing the ‘AuToLoG’ string. “The samples are classified as generic trojans by most antivirus vendors but appear to have RDP credentials hardcoded into them,” comments the report.
Apart from the SSH ‘errors’ and the single AuToLog RDP password, every other password used in the honeypot attacks can be found in rockyou2021. Honeypot attacks are, by their nature, automated opportunistic bot attacks.
Rapid7’s analysis of the passwords used shows a heavy preference for the standard known commonly used passwords. The top five RDP password attempts were ‘ ‘ (the empty string), ‘123’, ‘password’, ‘123qwe’, and ‘admin’. The top five SSH password attempts were ‘123456’, ‘nproc’, ‘test’, ‘qwerty’, and ‘password’. These and every other password could have been sourced from rockyou2021.
But rockyou2021 is effectively just a massive word list. It does not include random, mixed ASCII and special character strings. While it includes something like 8.4 billion strings, a complete list of all possible ASCII seven-character strings would comprise around 70 trillion possibilities (95^7). This would rise dramatically with any increase in the password length.
The overriding conclusion from Rapid7’s analysis is that the use of long, strong random strings such as those generated by password managers and not likely to be included in ‘dictionaries’ would provide a very strong defense against opportunistic bot-driven automated attacks.
Tod Beardsley, Rapid 7’s director of research, points out that these automated attacks are low-cost, but not no-cost. “The concentration on lame and default passwords demonstrates that there are still enough in common use to make the attacks worthwhile for the attackers,” he told SecurityWeek. This in turn indicates that password managers are not yet the default method of generating and storing passwords.
The problem with password managers is that they are not easy or necessarily intuitive to use. “The UX is poor, and they tend to be a bit clunky – and the additional friction stops people using them,” said Beardsley. “We’re failing to educate people on the use of password managers to generate and store a long, strong random password.”
But he added, length is even more important than complexity. “Password length is the name of the game when it comes to having good passwords.” He even noted that in the age of remote working, the idea of the long-derided ‘password notebook’ kept securely at home becomes a realistic option.
But the primary takeaway from this Rapid7 research is that if companies and people can condition themselves to generate passwords of sufficient length (Beardsley uses 14 characters) containing a few special characters, there is a strong likelihood that the current generation of automated opportunistic attacks against RDP and SSH will be defeated.
This doesn’t apply to individual targeted attacks. That’s a different story.