Attackers aren't as clever as you think when it comes to finding passwords
Although we've been told for years that their days are numbered, passwords are still a major part of our security defenses.
New research from Rapid7 looks at two of the most popular protocols used for remote administration, SSH and RDP, to get a sense of how attackers are taking advantage of weaker password management to gain access to systems.
The research used a network of honeypots (a few hundred of them) to monitor SSH and RDP login attempts. Looking at authentication attempts (as opposed to vulnerability exploit attempts, low-touch scans, and the like) researchers found 512,002 unique passwords attempted to be used by attackers.
Interestingly, all but 14 of these appear on the rockyou2021.txt industry-standard list of exposed passwords. This puts paid to the idea that attackers are using sophisticated tools to 'crack' passwords online, in fact they're taking a lazy route of simply trying passwords that are already out there.
They're also relying on the fact that we're also lazy and pretty rubbish at choosing passwords. The three most popular user names for RDP are 'administrator,' 'user,' and 'admin' according to the research. While the three most common passwords are 'root,' 'admin,' and 'nproc.' One of the most popular passwords is also the old favorite '123456'.
"The threshold for like avoiding this kind of attack is to be just a little bit creative," says Tod Beardsley, director of research at Rapid7. "You don't even have to be that complex to avoid this specific kind of attack. All you have to do is not be a word. Attackers have tried and true mechanisms, they work enough for it to be worthwhile and they're easy enough for anyone to avoid if you're aware of how to configure a device that is on the internet. IoT is a big offender here as is default config for just normal cloud software. People are tasked with setting something up, they're in a rush, they they set it up and say, 'Oh, maybe I'll change the password later'."
You can read more and get the full report on the Rapid7 blog.
Image credit: frank_peters / Shutterstock