Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Study Analyzes Passwords Used in Opportunistic, Criminal Attacks

Security firm Rapid7 has conducted a year-long study to find out which are the usernames and passwords most commonly used by malicious actors in criminal and opportunistic attacks.

Security firm Rapid7 has conducted a year-long study to find out which are the usernames and passwords most commonly used by malicious actors in criminal and opportunistic attacks.

A recent analysis of credentials leaked over the course of 2015 showed that the most common passwords set by regular users are still “123456” and “password.” Rapid7 wanted to conduct a different type of password study so it has used Heisenberg, a network of low-interaction honeypots, to determine which are the most common passwords leveraged in attacks aimed at high-value, Internet-exposed systems.

The research has focused specifically on attacks aimed at the Remote Desktop Protocol (RDP), which is often used to remotely control home, office, point-of-sale (PoS), and kiosk systems.

Between March 2015 and February 2016, Rapid7 recorded a total of more than 221,000 attempts from 119 different countries to log in to its honeypots. A majority of the attempts (40 percent) came from China, which is not surprising considering that the country accounts for nearly 20 percent of the world’s Internet users. The United States accounted for 25 percent of attempts, followed by South Korea (6 percent), the Netherlands (5%) and Vietnam (3 percent).

The most common usernames tried out by attackers during their operations were “administrator” and “Administrator,” which accounted for nearly 60 percent of all attempts. The list of common usernames also included “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”

As for passwords, the most common were “x,” “Zz” and “St@rt123.”

Rapid7 password research

“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system,” Rapid7 said in its report.

Using Dropbox’s Zxcvbn application for measuring password complexity on a scale from zero to four (four being the most complex), Rapid7 has determined that less than 9 percent of the passwords used to log in to Heisenberg honeypots got the highest score, and only 14.3 percent scored “3.”

Advertisement. Scroll to continue reading.

“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security,” experts noted.

Additional details are available in Rapid7’s report, titled “The Attacker’s Dictionary: Auditing Criminal Credential Attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...