Threat Research & Response Blog
Almost a year ago, we started a project designed to monitor incoming attacks against a normal user on a day-to-day basis. We presented you with details about the geographical area from where the attacks originated and what services were targeted, and we gave you just a hint about FTP dictionary-based attacks. Now we’re going into a bit more detail about the passwords, having so far gathered hundreds of user names and tens of thousands of passwords that have been used in automated attacks in the last couple of months. Most of them were collected by our (fake) FTP server, which is designed to emulate a small part of the FTP protocol and log the information so that it’s easy to process.
As you can see below in the statistics, the length of the passwords is quite interesting, mainly because the average length according to our data is 8 characters and that’s quite close to the length of the passwords that many people use for their Internet accounts.
Statistics about user names and passwords:
Here is a top 10 list with the most common user names used in automated attacks:
And a similar list for passwords:
Trivia: One attacker tried more than 400,000 user name and password combinations.
Most of the probing is done from compromised systems that are connected to a password-protected IRC channel and are waiting for commands.
As you can see in the image below, one such command is to scan and identify other vulnerable hosts.
We just want to make users aware of the fact that passwords of around 8-10 characters (the average length of passwords that are normally used for Internet accounts) are used in attacks. Even a long password (10 to 15, or even 20 characters) isn’t good enough if it’s dictionary-based. As seen in the table above, there are passwords in dictionaries that are even using special characters (for example #!comment: ), not only numbers and letters.
You should take good care of what user name and password you're choosing. If your account has no limit on the number of login attempts, then knowing the user name is like having half of the job done. Especially for the user names from the top 10 (and mainly for the Administrator/Administrateur accounts), the passwords shouldn’t be picked lightly.
Usually we choose easy to type and/or easy to remember passwords, but please don’t forget that those passwords (for the moment) are the most commonly used or authentication on the Internet so they need to be strong.
The three basic things to remember when creating a strong password are the following:
1. Use a combination of letters, numbers and special characters. Also, remember that some dictionaries used in attacks have a "l33t" mode, which allows common letter/number-to-special character substitutions (like changing a-@, i-1 ,o-0 and s=$, for example, password = p@$$w0rd). Therefore, mix them in different ways so that they are not predictable.
2. Use a combination of upper and lower case letters.
3. Make it lengthy. A longer password does not necessarily mean it is strong but it can help in some cases.
To check if you have a strong password, you can use Microsoft's password checker (http://www.microsoft.com/protect/fraud/passwords/checker.aspx).
Having a super strong password is not enough. From time to time, you need to change it, especially when you feel that your account has been compromised. We also advise you to have several sets of passwords that differ in every account so in case one has been compromised not all your accounts will be affected.
For additional information regarding passwords you can visit the following links
Creating passwords - http://www.microsoft.com/protect/fraud/passwords/create.aspx
Maintaining passwords - http://www.microsoft.com/protect/fraud/passwords/secret.aspx
And by the way…..Don’t forget your password!!!!
Francis Allan Tan Seng && Andrei Saygo