list

[Prev] Thread [Next]  |  [Prev] Date [Next]

[Dshield] Fun with passwords Jon Kibler Wed Jul 16 07:21:03 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I recently had the opportunity to analyze a 'username password' file
used by an SSH brute force program found on a hacked system. I thought
the group may be interested in some stats I computed from that data set:

Total entires in file                   88,900
Unique user names                       76,900
Joe accounts                            76,400
Unique passwords                        81,000
Unique non-Joe passwords                 8,100
Passwords occurring more than once         240
Passwords occurring more than 3 times       35


The frequency of occurrence of the top 35 passwords were:
   4 admin123
   4 backup
   4 condo
   4 linux
   4 oracle
   4 rooted
   5 123456789
   5 gov
   5 newpass
   5 setup
   5 user
   6 server
   6 sysadmin
   7 guest
   8 router
   9 12345678
  12 asdfgh
  14 abcd1234
  17 abc123
  17 changeme
  18 1234
  18 1q2w3e
  18 administrator
  21 $changeme$
  21 123
  23 12345
  23 qwerty
  24 root
  29 admin
  42
 127 test123
 129 test
 139 passwd
1482 password
1858 123456

The number of passwords found for usernames with 15 or more passwords were:
  15 chloe
  15 jacob
  15 jessica
  15 julia
  15 louise
  15 man
  15 mary
  15 nobody
  15 sarah
  15 temp
  15 tester
  15 testing
  15 web
  16 lp
  16 patricia
  17 postgres
  17 toor
  18 alex
  18 student
  19 daemon
  19 news
  19 victoria
  20 nasa
  20 wwwrun
  23 user
  25 uucp
  26 bin
  26 guest
  35 test
  61 admin
 114 apache
 114 oracle
 114 webmaster
3388 root


So, I guess the lesson that we should learn from this data is, that to
avoid being the victim of an SSH brute force attack, we should set all
of our root passwords to 123456. :-)

I hope someone can put these stats to good use!

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhtfdkACgkQUVxQRc85QlNtCQCfeoQgBwG+8SNI8tjve9u8JntI
w3QAoI3AZT/F0m7KCx80s1f7T39mAR7o
=uHvl
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/