Mastodawn

Lutra Security Jan 4, 2023

We are consistently seeing login attempts on our honeypot services and while the attackers are certainly trying a wide variety of #passwords, it is a handful of passwords that are being tried over and over again.

Which passwords are so bad that you can expect them to be compromised within minutes? Here are the #bottom10 passwords to use, the 10 worst passwords 2022:

- root
- 1234
- 123456
- password
- admin
- toor
- 12345
- 123
- qwerty
- 1

One might argue that the only surprise in this list is that attackers are spending resources on passwords that are so obviously terrible. Even just one of them ("password") has the minimum length of 8 characters, which is usually required.

But of course there are more. For example, the #password "6uPF5Cofvyjcew9" made it with 0.12% of all login attempts to 13th place. A more comprehensive list of the 1000 worst passwords (which together account for 32.7% of all login attempts) can be found here: https://github.com/lutrasecurity/bad-passwords/tree/2022

GitHub - lutrasecurity/bad-passwords at 2022

Some passwords are worse than others. These are the worst. - GitHub - lutrasecurity/bad-passwords at 2022

GitHub

Show thread

Monochrome Jan 4, 2023

@lutrasecurity Do you know how high the success-rate of these passwords is? I get similar results from my honeypots, but I can't believe that even one in a million server is successfully exploited this way

Show thread

Konstantin Weddige

@vx @lutrasecurity I don't have any data about the success rate, but I agree that it's probably very low.

I just ran a quick analysis of the full dataset and 39% of the passwords (43% of the login attempts) are shorter than 8 characters. 94% of the passwords wouldn't be valid, if in addition to the length lower/upper/numeral/special characters are required.

In the end, these attacks are a huge waste of resources.

Show thread

purpole Jan 4, 2023

@weddige @vx @lutrasecurity Probably many default passwords. They often do not obey any password rules 🤷

But yeah, waste of resources nonetheless.

Show thread

Monochrome Jan 4, 2023

@weddige @lutrasecurity thank you for your answer.
And these complex passwords like the mentioned above are probably the result of chinese input methods like "ji32k7au4a83":
https://www.theverge.com/tldr/2019/3/5/18252150/bad-password-security-data-breach-taiwan-ji32k7au4a83-have-i-been-pwned

ji32k7au4a83 is a surprisingly bad password

When you’re creating a new password for an account, it might prompt you to use numbers and letters, and avoid real words. So a password like 420DankMemes might be kind of weak while the password “ji32k7au4a83” might seem stronger. But surprisingly, that particular string of numbers and letters has appeared 141 times on the site Have I Been Pwned, where you can check if your info has been leaked in a data breach, as spotted by Gizmodo.

The Verge