The Attacker’s Dictionary: Passwords That Put You At Risk

March 16, 2016

In today’s Whiteboard Wednesday, Roy Hodgman, Data Scientist at Rapid7, will discuss a recent research report that was conducted by the Rapid7 research team. This report focuses on the passwords that attackers use when they scan the internet indiscriminately. We call this project, “Project Heisenberg”.

Project Heisenberg is a collection of low interaction honeypots deployed around the world. The honeypots run on IP addresses which we have not published, and we expect that the only traffic directed to the honeypots would come from projects or services scanning a wide range of IP addresses. When an unsolicited connection attempt is made to one of our honeypots, we store all the data sent to the honeypot in a central location for further analysis.

In this video we will explore some of the data we have collected related to Remote Desktop Prodocol (RDP) login attempts.

Video Transcript

Welcome to this week's Whiteboard Wednesday. My name is Roy Hodgman. I work as a Data Scientist here at Rapid7 and today we're going to talk about passwords that put you at risk.

Show more Show less

At Rapid7, we do a lot of internet scale research where we collect data about how attackers behave on the internet, make this data available to both ourselves and the community at large in order to do interesting research projects.

One of the projects that we've been working on recently is Project Heisenberg. Project Heisenberg is a collection of low interaction honeypots that we've deployed around the world. These honey pots are machines that collect all the information that is sent to them, usually unsolicited, and make that data available for further analysis. When we analyze that data, we're able to pull out authentication credentials, specifically the usernames and passwords associated with the remote desktop protocol.

In a recent study for 334 days, we pulled out 221,000 different events associated with attempted log-ins to RDP. These came from 119 different countries with 1,800 different usernames and almost 4000 different passwords.

Looking at these passwords, we were able to pull out the most commonly used ones, which are X, and ZZ, and one, variations on the word "start", and "admin", and around 400 different variations on the word "password" with the @ symbol, or a dollar sign, or zero in place of the letters that we normally use.

We also saw a couple of very complex passwords like this one here, but not that many. A majority of the passwords that we saw were all these very simple passwords. And because these attackers are scanning the whole internet, they're looking for devices that these passwords will work on. They're not using a lot of complex passwords, they're using a lot of simple passwords, which means that simple passwords work.

As much as we talk about the need to have complex passwords deployed in systems that are internet facing, if they're scanning for passwords that are simple, that means that there are systems out there with simple passwords.

We recently released a report about all of this research, including information on the top passwords and usernames that we saw, as well as the complexity of those passwords, and how long we saw those passwords being used by attackers before we never heard from them again.

If you'd like to read more about this information, please go to our website and download the paper. That's it for this week's Whiteboard Wednesday. We'll talk to you next week.

The Attacker's Dictionary

Find out which credentials scanners are using to test – and likely compromise – internet services.

Download Report