Skip to main content

HoneyPot WarGames - The Hackers Dictionary

Every year security companies are coming up with the “worst passwords” based on breached credentials found on in the murkier parts of the internet. Every year people seem surprised that “123456” is a terrible password and people are still using it.

Passwords often get rated by how quickly the could be “cracked”. The length of time for cracking passwords in the real world varies wildly according the the context and the numbers are often confusing.

NordPass recently published their list of most common passwords and claimed that the third most popular password was “picture1” and it would take 3 hours to crack. If that’s referring to offline password cracking then we should have a whip-round to upgrade the hackers hardware because a password like that should take seconds to crack.

When hackers try to brute force their way into an account online they have to try lots of different password combinations until they get in, or just give up. This takes a lot of time so hackers spend time optimizing their password lists to give themselves the best chance at success. 

So which passwords are hackers using to try to break into systems?

To find out which passwords they are using I have setup a honeypot with SSH exposed to the internet and watched the hackers try to break in.


This video shows a snapshot of the 3000+ daily attempts to break into my system. I set the honeypot up in such a way that there was actually no valid password and the attackers would never get in. This gave me the best chance to capture their attacking dictionary.

It turns out that their dictionary is pretty extensive with 30,000 entries so far and still growing. If you want to access the full list, it’s on github here.

The worst passwords on that list are the usual ones like 1234, password and hello. The truth is, that’s not very useful to know, because almost any modern platform or office requires you to have a minimum password length of 8 characters with uppercase, lowercase, numbers and special characters.

What are the most common policy compliant passwords?

Here is the top thirty most attacked passwords that you might actually be using.

  1. Passw0rd
  2. 1qaz@WSX 
  3. Password1 
  4. P@ssw0rd 
  5. 4rfv$RFV 
  6. p@ssw0rd 
  7. 1qaz@WSX3edc$RFV 
  8. 1qaz@wsx 
  9. 123qwe!@# 
  10. root@123 
  11. 1qazXSW@ 
  12. !QAZ2wsx 
  13. Admin@123 
  14. ABCabc123 
  15. password1! 
  16. Password01 
  17. Abcd1234 
  18. 1qaz#EDC 
  19. 123!@#qwe 
  20. Admin123! 
  21. admin@123 
  22. 1QaZ2WsX 
  23. P@$$w0rd 
  24. 3edc#EDC 
  25. 1qaz!QAZ 
  26. 1q2w3e,. 
  27. Passw0rd1234 
  28. Pa55word
  29. Ilouberi5
  30. admin@1234

If you want the list of the top 10,000 of the worst passwords you can download it directly from GitHub here.

If you download the full list you will notice that I have excluded certain passwords such as J5cmmu=Kyf0-br8CsW, 7ujMko0admin, and OkwKcECs8qJP2Z. That’s because these are specific to IoT devices and botnets that are trying to hack each other.

the most commonly attacked passwords are keyboard patterns

Apart from the usual variations on Passw0rd1 and Admin123!, the most commonly attacked passwords are keyboard patterns. People have been using password patterns like 1qaz@WSX for a long time and hackers know it. SecLists has a whole file dedicated to keyboard patterns.

The bottom line on passwords

Variations on the word “password”, keyboard patterns and l33tspeak versions of the username won’t last long on an internet facing service. These might meet a company policy document but they aren't survive the barrage of attacks a service faces on the internet. Eventually someone will guess your password. Using password generation tools like https://toughpassword.com to generate a strong random password can help, but anything internet facing really needs multi-factor authentication in place.

Labels:

Comments

Post a Comment

Popular posts from this blog

Snagging creds with Raspberry Pi Zero and Responder

So this is not all my own original work. This is a bringing together of the ethernet gadget tutorial by lady ada at adafruit and the beautiful work by Mubix at room362 which uses Laurent Gaffie's from SpiderLabs responder.py scripts. I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products. Please note that this only works on the RPi Zero. Other RPi's will not work!   1.0 Setup the the RPi Zero for Ethernet over USB Download and install the latest Jessie Lite from here onto an SD Card. Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition. config.txt Go to the bottom and add dtoverlay=dwc2 as the last line: Save the config.txt file. cmdline.txt After rootwait (the last word on the first line) add a spa
3 comments
Read more

Munging Passwords

Password munging is the art of changing a word that is easy to remember until it becomes a strong password. This is how most people make up passwords. Munge stands for M odify U ntil N ot G uessed E asily. The trouble is that it doesn't work very well. We can guess the modifications. Password selection. Take the average office worker that is told that it's time to change their password and come up with a new one. They have just been on holiday to New York with their family and so following common advice they choose that as their password. newyork No! They are told they must include capital letters NewYork No! They are told they must include numbers N3wY0rk No! They are told they must include a special character N3wY0rk! There, now that's a password that meets security requirements and our office worker can get on with their actual job instead of playing with passwords. Scripting similar munges There are a number of ways that they could munge the
Post a Comment
Read more

Anatomy of a phishing campaign

This is the story of a phishing email that came across my desk. It's good to take a look at what the bad guys are doing sometimes. It's often not rocket science but it's handy to keep an eye on the simple techniques used. And if this isn't your day job you probably don't get forwarded a huge number of phishing emails, malware to analyse or dodgy sites to investigate. In fact hopefully you do your best to avoid all of those things. The Attack Chain So this particular phishing campaign started as many others do with a simple phishing email. It's not an aggressive email, it's not selling itself too hard, no spelling mistakes, no funny looking URLs and it's pretty simple. There's only one link to click on. Just a quick note here about clicking on links in nefarious emails. Don't do it unless you are ready to. This link could trigger some malware, it could be unique to the targeted email (so the attacker knows the email address is valid
Post a Comment
Read more