CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Study Analyzes Passwords Used in Opportunistic, Criminal Attacks

Security firm Rapid7 has conducted a year-long study to find out which are the usernames and passwords most commonly used by malicious actors in criminal and opportunistic attacks.

Security firm Rapid7 has conducted a year-long study to find out which are the usernames and passwords most commonly used by malicious actors in criminal and opportunistic attacks.

A recent analysis of credentials leaked over the course of 2015 showed that the most common passwords set by regular users are still “123456” and “password.” Rapid7 wanted to conduct a different type of password study so it has used Heisenberg, a network of low-interaction honeypots, to determine which are the most common passwords leveraged in attacks aimed at high-value, Internet-exposed systems.

The research has focused specifically on attacks aimed at the Remote Desktop Protocol (RDP), which is often used to remotely control home, office, point-of-sale (PoS), and kiosk systems.

Between March 2015 and February 2016, Rapid7 recorded a total of more than 221,000 attempts from 119 different countries to log in to its honeypots. A majority of the attempts (40 percent) came from China, which is not surprising considering that the country accounts for nearly 20 percent of the world’s Internet users. The United States accounted for 25 percent of attempts, followed by South Korea (6 percent), the Netherlands (5%) and Vietnam (3 percent).

The most common usernames tried out by attackers during their operations were “administrator” and “Administrator,” which accounted for nearly 60 percent of all attempts. The list of common usernames also included “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”

As for passwords, the most common were “x,” “Zz” and “St@rt123.”

Rapid7 password research

“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system,” Rapid7 said in its report.

Using Dropbox’s Zxcvbn application for measuring password complexity on a scale from zero to four (four being the most complex), Rapid7 has determined that less than 9 percent of the passwords used to log in to Heisenberg honeypots got the highest score, and only 14.3 percent scored “3.”

Advertisement. Scroll to continue reading.

“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security,” experts noted.

Additional details are available in Rapid7’s report, titled “The Attacker’s Dictionary: Auditing Criminal Credential Attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.