Are We Still Stupid About Passwords?

Remote services are vulnerable to brute force attacks because of poor credential hygiene: Report

The security company Rapid7 has discovered that lists of exposed passwords are used in almost all Secure Shell (SSH) and Remote Desktop (RDP) attacks.

The researchers observed that 512,002 different passwords were tried when they monitored a network of a few hundred honeypot devices for SSH and RDP access attempts.

"Administrator," "user," and "admin" were the most frequently used RDP usernames, while "root," "admin," and "nproc" were the most frequently used passwords.

Only 14 of the passwords were different from the 8.4 billion revealed passwords on the rockyou2021.txt list (without the matching usernames), and they seemed to be mistaken because they contained the IP address of the honeypot that was being attacked.

Losing the security of sensitive information and malware infestations, including ransomware, can result from letting attackers remotely access a business, including via RDP and SSH.

Tod Beardsley, head of research for Rapid7, said, "What we found in our research in many respects confirmed our assumptions that attackers aren't 'breaking' passwords on the internet and that despite the much-publicized concerns and threats, we still collectively stink at password management.

But why were there in the trial such a small number of those disclosed passwords?

According to Erick Galinkin, a senior artificial intelligence researcher at Rapid7, "social engineering techniques, such phishing for passwords and credential stuffing, are still greater means for attackers to obtain access to credentials than breaking them mechanically."

"We're simply not managing our passwords well enough, and it doesn't need to be that way in this day and age," he continued.

You don't even need to use a really strong password to protect yourself; merely one with randomness in it, like a few arbitrary characters, is sufficient. It's easy to defeat this kind of attack.

Avoid using default passwords and don't use the same password for different logins, according to Rapid7. Using a password manager will make this simple to accomplish.

According to Galinkin, "These services are a powerful but regrettably underutilised option to have good credential hygiene."

Want to know the Simple Ways to Improve your password? Rapid7 has a ready-to-download report in which you will learn;

✅ The most commonly used (and attacked) usernames and passwords and where they come from

✅ How auditing endpoints for default passwords and encouraging the use of password managers can make your network less vulnerable

✅ How little improvement in password health has actually taken place since we last looked in 2016

Click here to download

To view or add a comment, sign in

Explore topics