Security Experts:

Study Analyzes Passwords Used in Opportunistic, Criminal Attacks

Security firm Rapid7 has conducted a year-long study to find out which are the usernames and passwords most commonly used by malicious actors in criminal and opportunistic attacks.

A recent analysis of credentials leaked over the course of 2015 showed that the most common passwords set by regular users are still “123456” and “password.” Rapid7 wanted to conduct a different type of password study so it has used Heisenberg, a network of low-interaction honeypots, to determine which are the most common passwords leveraged in attacks aimed at high-value, Internet-exposed systems.

The research has focused specifically on attacks aimed at the Remote Desktop Protocol (RDP), which is often used to remotely control home, office, point-of-sale (PoS), and kiosk systems.

Between March 2015 and February 2016, Rapid7 recorded a total of more than 221,000 attempts from 119 different countries to log in to its honeypots. A majority of the attempts (40 percent) came from China, which is not surprising considering that the country accounts for nearly 20 percent of the world’s Internet users. The United States accounted for 25 percent of attempts, followed by South Korea (6 percent), the Netherlands (5%) and Vietnam (3 percent).

The most common usernames tried out by attackers during their operations were “administrator” and “Administrator,” which accounted for nearly 60 percent of all attempts. The list of common usernames also included “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”

As for passwords, the most common were “x,” “Zz” and “[email protected]

Rapid7 password research

“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system,” Rapid7 said in its report.

Using Dropbox’s Zxcvbn application for measuring password complexity on a scale from zero to four (four being the most complex), Rapid7 has determined that less than 9 percent of the passwords used to log in to Heisenberg honeypots got the highest score, and only 14.3 percent scored “3.”

“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security,” experts noted.

Additional details are available in Rapid7’s report, titled “The Attacker’s Dictionary: Auditing Criminal Credential Attacks.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.