Pierluigi Paganini March 04, 2016

Which are the usernames and passwords used by hackers when they scan the internet indiscriminately? Give a look to the Rapid7′ report

Recently the firm Splashdata revealed in its annual report on the worst 2015 passwords (“123456” and “password”), today I desire to present you a new interesting study on passwords conducted by Rapid7.

The experts used Heisenberg, a network of low-interaction honeypots that took note of the most common passwords used the hackers in targeting Internet-exposed systems.

The research conducted by Rapid7 has focused on the brute force attacks that tried to guess Remote Desktop Protocol (RDP) credentials for control home, point-of-sale (PoS), and kiosk systems.

“Attackers do not merely pick random strings as passwords (or usernames). Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system. ” states the report published by Rapid7.

The experts analyzed more than 221,000 attacks from 119 different countries observed between March 2015 and February 2016. 40 percent of the attacks came from China, followed by the United States with 25 percent of attempts, South Korea with 6 percent, the Netherlands with 5 percent and Vietnam with 3 percent.

The most common usernames attempted by hackerd were “administrator” and “Administrator,” (60%), other usernames are “user1,” “admin,” “alex,” “pos,” “demo,” “db2admin,” “Admin” and “sql.”

The most common passwords “x” (5,36 %), “Zz” (4,79%) and “St@rt123” (3,62%).

“Truly, the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security.” continues the report.

The experts used Dropbox’s Zxcvbn application for measuring password complexity, determining that less than 9 percent of the passwords used by hackers got the highest score, meanwhile 14.3 percent scored “3.”

“Zxcvbn is hosted on a GitHub repository and was released by Dropbox with a permissive open source license. Rapid7 data scientists and software engineers absolutely love well-cared-for open source projects, so we have adopted zxcvbn as a means to measure the complexity of Heisenberg-collected passwords. By running our collected passwords through zxcvbn, we can approximate “complexity” with zxcvbn’s crackability score.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Worst passwords, cyber crime)