Connect with us

Hi, what are you looking for?


Network Security

Password Report: Honeypot Data Shows Bot Attack Trends Against RDP, SSH

An analysis of data collected by Rapid7’s RDP and SSH honeypots between September 10, 2021, and September 9, 2022, found tens of millions of connection attempts. The honeypots captured 215,894 unique IP source addresses and 512,002 unique passwords across RDP and SSH honeypots. Almost all the passwords (99.997%) can be found in rockyou2021.txt.

An analysis of data collected by Rapid7’s RDP and SSH honeypots between September 10, 2021, and September 9, 2022, found tens of millions of connection attempts. The honeypots captured 215,894 unique IP source addresses and 512,002 unique passwords across RDP and SSH honeypots. Almost all the passwords (99.997%) can be found in rockyou2021.txt.

In 2009, Rockyou was hacked. The attackers found and stole 32 million cleartext user accounts. A subsequently exposed list of 14,341,564 passwords became the original rockyou.txt widely used in dictionary attacks and included with Kali Linux to aid penetration testing.

Over the following years additional password lists have been added to the original, culminating in the rockyou2021.txt collection now comprising about 8.4 billion passwords in a 92 GB text file. This is freely available on GitHub.

“We use the rockyou set as a source of passwords that attackers can trivially generate and try, to see if there is some evolution beyond the use of a password list,” explains Rapid7 in its Good Passwords for Bad Bots report (PDF).

That 99.99% of the passwords used to attack the Rapid7 honeypots can be found in this password list is probably an understatement. Only 14 of the 497,848 passwords used in the SSH attacks are not included in rockyou2021 – and each one of these include the IP address of the attacked honeypot. Rapid7 suggests this may be a programming error in the scanner being used by the attacker.

Only one password among those used to attack the RDP honeypots is not included in rockyou2021. This is ‘AuToLoG2019.09.25’, which was the thirteenth most used password. This is a little puzzling, but the report notes there are malware samples containing the ‘AuToLoG’ string. “The samples are classified as generic trojans by most antivirus vendors but appear to have RDP credentials hardcoded into them,” comments the report.

Apart from the SSH ‘errors’ and the single AuToLog RDP password, every other password used in the honeypot attacks can be found in rockyou2021. Honeypot attacks are, by their nature, automated opportunistic bot attacks. 

Advertisement. Scroll to continue reading.

Rapid7’s analysis of the passwords used shows a heavy preference for the standard known commonly used passwords. The top five RDP password attempts were ‘ ‘ (the empty string), ‘123’, ‘password’, ‘123qwe’, and ‘admin’. The top five SSH password attempts were ‘123456’, ‘nproc’, ‘test’, ‘qwerty’, and ‘password’. These and every other password could have been sourced from rockyou2021.

But rockyou2021 is effectively just a massive word list. It does not include random, mixed ASCII and special character strings. While it includes something like 8.4 billion strings, a complete list of all possible ASCII seven-character strings would comprise around 70 trillion possibilities (95^7). This would rise dramatically with any increase in the password length.

The overriding conclusion from Rapid7’s analysis is that the use of long, strong random strings such as those generated by password managers and not likely to be included in ‘dictionaries’ would provide a very strong defense against opportunistic bot-driven automated attacks.

Tod Beardsley, Rapid 7’s director of research, points out that these automated attacks are low-cost, but not no-cost. “The concentration on lame and default passwords demonstrates that there are still enough in common use to make the attacks worthwhile for the attackers,” he told SecurityWeek. This in turn indicates that password managers are not yet the default method of generating and storing passwords.

The problem with password managers is that they are not easy or necessarily intuitive to use. “The UX is poor, and they tend to be a bit clunky – and the additional friction stops people using them,” said Beardsley. “We’re failing to educate people on the use of password managers to generate and store a long, strong random password.”

But he added, length is even more important than complexity. “Password length is the name of the game when it comes to having good passwords.” He even noted that in the age of remote working, the idea of the long-derided ‘password notebook’ kept securely at home becomes a realistic option.

But the primary takeaway from this Rapid7 research is that if companies and people can condition themselves to generate passwords of sufficient length (Beardsley uses 14 characters) containing a few special characters, there is a strong likelihood that the current generation of automated opportunistic attacks against RDP and SSH will be defeated.

This doesn’t apply to individual targeted attacks. That’s a different story.

Related: Thousands of Unprotected RDP Servers Can Be Abused for DDoS Attacks

Related: Millions of Endpoints Exposed via RDP: Report

Related: SMA Technologies Fixes Critical Security Flaw in Workload Automation Solution

Related: Flaw in Password Managers Allowed Apps to Steal Credentials

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...