Which are the usernames and passwords used by hackers when they scan the internet indiscriminately? Give a look to the Rapid7′ report
Recently the firm Splashdata revealed in its annual report on the worst 2015 passwords (“123456” and “password”), today I desire to present you a new interesting study on passwords conducted by Rapid7.
The experts used Heisenberg, a network of low-interaction honeypots that took note of the most common passwords used the hackers in targeting Internet-exposed systems.
The research conducted by Rapid7 has focused on the brute force attacks that tried to guess Remote Desktop Protocol (RDP) credentials for control home, point-of-sale (PoS), and kiosk systems.
“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system. ” states the report published by Rapid7.
The experts analyzed more than 221,000 attacks from 119 different countries observed between March 2015 and February 2016. 40 percent of the attacks came from China, followed by the United States with 25 percent of attempts, South Korea with 6 percent, the Netherlands with 5 percent and Vietnam with 3 percent.
The most common usernames attempted by hackerd were “administrator” and “Administrator,” (60%), other usernames are “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”
The most common passwords “x” (5,36 %), “Zz” (4,79%) and “St@rt123” (3,62%).
“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security.” continues the report.
The experts used Dropbox’s Zxcvbn application for measuring password complexity, determining that less than 9 percent of the passwords used by hackers got the highest score, meanwhile 14.3 percent scored “3.”
“Zxcvbn is hosted on a GitHub repository and was released by Dropbox with a permissive open source license. Rapid7 data scientists and software engineers absolutely love well-cared-for open source projects, so we have adopted zxcvbn as a means to measure the complexity of Heisenberg-collected passwords. By running our collected passwords through zxcvbn, we can approximate “complexity” with zxcvbn’s crackability score.”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.