We know people generally suck at choosing passwords, often using “12345” or “letmein”. But what passwords and usernames do attackers try most often? This analysis from information security firm Rapid7 shares some interesting details.
Photo by automobileitalia.
In their Project Heisenberg, Rapid7 deployed a collection of honeypots around the world, running on unpublished IP addresses. The company believes the only traffic coming to the honeybots would be from services that scan a wide range of IP addresses. Rapid7 analysed the Remote Desktop Protocol login attempts to these honeypots for nearly a year. They recorded over 220,000 different attempts to log in, from over 5000 distinct IP addresses across 119 different countries.
The top 10 most used passwords:
password |
count |
per cent |
x |
11865 |
5.36% |
Zz |
10591 |
4.79% |
St@rt123 |
8014 |
3.62% |
1 |
5679 |
2.57% |
P@ssw0rd |
5630 |
2.55% |
bl4ck4ndwhite |
5128 |
2.32% |
admin |
4810 |
2.17% |
alex |
4032 |
1.82% |
……. |
2672 |
1.21% |
administrator |
2243 |
1.01% |
Some of these aren’t surprising, but “alex”? Anyway, don’t use any of these passwords please.
The top usernames collected:
username |
count |
per cent |
administrator |
77125 |
34.87% |
Administrator |
53427 |
24.15% |
user1 |
8575 |
3.88% |
admin |
4935 |
2.23% |
alex |
4051 |
1.83% |
pos |
2321 |
1.05% |
demo |
1920 |
0.87% |
db2admin |
1654 |
0.75% |
Admin |
1378 |
0.62% |
sql |
1354 |
0.61% |
There’s “alex” again. Change the administrator username to something that does not include “admin” in it.
For more insights, check out the report below.
The Attacker’s Dictionary [Rapid7 via BetaNews.]
Comments
5 responses to “The Top 10 Usernames And Passwords Hackers Try To Get Into Remote Computers”
Interesting that they’ve differentiated Administrator and administrator. I was sure an RDP username isn’t case sensitive.
They’re not (ditto LDAP) but if the intruders are pulling names from a database the source database may be case-sensitive.
Also: RDP is not limited to Windows. It can deployed for other operating systems where the username IS case-sensitive.
So the real question here is who the heck is Alex and why are they so bad at picking passwords?
Kidmaaaaaaan!
I guess if you were worried about your computer security you wouldn’t want to be “Living next door to Alex”
IT administrators quickly send memo to all staff: Users named Alex (M or F) will need to change their names by Deed Poll. All accounts starting with Alex 1 week forward will henceforth be closed.
,,,Actually I thought my name was pretty common but now sucks to be Alex.