Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Study Analyzes Passwords Used in Opportunistic, Criminal Attacks

Security firm Rapid7 has conducted a year-long study to find out which are the usernames and passwords most commonly used by malicious actors in criminal and opportunistic attacks.

Security firm Rapid7 has conducted a year-long study to find out which are the usernames and passwords most commonly used by malicious actors in criminal and opportunistic attacks.

A recent analysis of credentials leaked over the course of 2015 showed that the most common passwords set by regular users are still “123456” and “password.” Rapid7 wanted to conduct a different type of password study so it has used Heisenberg, a network of low-interaction honeypots, to determine which are the most common passwords leveraged in attacks aimed at high-value, Internet-exposed systems.

The research has focused specifically on attacks aimed at the Remote Desktop Protocol (RDP), which is often used to remotely control home, office, point-of-sale (PoS), and kiosk systems.

Between March 2015 and February 2016, Rapid7 recorded a total of more than 221,000 attempts from 119 different countries to log in to its honeypots. A majority of the attempts (40 percent) came from China, which is not surprising considering that the country accounts for nearly 20 percent of the world’s Internet users. The United States accounted for 25 percent of attempts, followed by South Korea (6 percent), the Netherlands (5%) and Vietnam (3 percent).

The most common usernames tried out by attackers during their operations were “administrator” and “Administrator,” which accounted for nearly 60 percent of all attempts. The list of common usernames also included “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”

As for passwords, the most common were “x,” “Zz” and “[email protected]

Rapid7 password research

“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system,” Rapid7 said in its report.

Using Dropbox’s Zxcvbn application for measuring password complexity on a scale from zero to four (four being the most complex), Rapid7 has determined that less than 9 percent of the passwords used to log in to Heisenberg honeypots got the highest score, and only 14.3 percent scored “3.”

“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security,” experts noted.

Additional details are available in Rapid7’s report, titled “The Attacker’s Dictionary: Auditing Criminal Credential Attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.