David Baxter PhD
Late Founder
Microsoft releases password attack data
Security Focus
2009-11-27
Microsoft released data collected from an FTP-server honeypot, showing that attempts to guess passwords continue to focus on the low-hanging fruit: passwords with an average length of eight characters, with "password" and "123456" being the most common.
The data is part of a project to monitor attacks that everyday users might encounter on a regular basis. Most of the attacks attempted to log into the administrator account on English and French computers -- Administrator and Administrateur were, by far, the two most popular usernames -- using a variety of passwords. The attackers were typically compromised computer that were part of a botnet, Microsoft researchers stated on the company's Malware Protection Center blog.
"You should take care of what user name and password you're choosing," the researchers wrote. "If your account has no limit on the number of login attempts, then knowing the user name is like having half the job done."
In one case, an attacker made more than 400,000 attempts to guess a user name password combination.
The most common passwords were password, 123456, #!comment:, changeme, and an expletive.
Microsoft recommended that users create passwords consisting of letters, numbers and special characters using a combination of lower and upper case. The average length of the password attacks was eight characters, so users should focus on longer passwords, the researchers stated.
Security Focus
2009-11-27
Microsoft released data collected from an FTP-server honeypot, showing that attempts to guess passwords continue to focus on the low-hanging fruit: passwords with an average length of eight characters, with "password" and "123456" being the most common.
The data is part of a project to monitor attacks that everyday users might encounter on a regular basis. Most of the attacks attempted to log into the administrator account on English and French computers -- Administrator and Administrateur were, by far, the two most popular usernames -- using a variety of passwords. The attackers were typically compromised computer that were part of a botnet, Microsoft researchers stated on the company's Malware Protection Center blog.
"You should take care of what user name and password you're choosing," the researchers wrote. "If your account has no limit on the number of login attempts, then knowing the user name is like having half the job done."
In one case, an attacker made more than 400,000 attempts to guess a user name password combination.
The most common passwords were password, 123456, #!comment:, changeme, and an expletive.
Microsoft recommended that users create passwords consisting of letters, numbers and special characters using a combination of lower and upper case. The average length of the password attacks was eight characters, so users should focus on longer passwords, the researchers stated.