Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Top 10 Admin Passwords to Avoid

Don't want hackers to guess the password for that critical server or application? Stay away from these

In the end, it's all a big guessing game. You create passwords to protect your systems; hackers try to guess the password you created.

It's a game that's going on all the time. As we reported last week, researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period. (See Study: Two Hacks a Minute.)

During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day. And these were relatively anonymous servers, sitting in a university data center and intentionally loaded with mundane, uninteresting data. We can only imagine what these attempt statistics might look like at, say, Bank of America or the U.S. Department of Defense.

So while most security discussions take passwords for granted or treat them as outmoded, the guessing game clearly continues. With this in mind, we asked some experts to comment on the most frequently-used (and guessed) administrative passwords, and how to avoid them.

The University of Maryland was our first stop, since they had just completed the study on this very topic. According to Michel Cukier, the professor who led the study, here are the most commonly-guessed passwords in cyberspace, in order of frequency:

  • 1. (username)
  • 2. (username)123
  • 3. 123456
  • 4. password
  • 5. 1234
  • 6. 12345
  • 7. passwd
  • 8. 123
  • 9. test
  • 10. 1

Other experts chipped in a few of their own. Val Smith, CTO of Offensive Computing LLC, notes five that didn't land in the university's top 10: "admin1," "changeme," "dontforget," and "letmein."

"Attackers are generally looking for the username and password that will bring them the greatest reward," notes Cukier. As a result, the username "root" -- which traditionally has given administrators access to multiple systems at the root level -- is by far the most frequently-guessed, with "admin" finishing a distant second.

In many cases, the attacker will simply type in a likely username, and then guess that the password will be the same, or almost the same, as the username, Cukier says. In the study, hackers tried the username as the password 43 percent of the time.

Another common hacker strategy is to try the default username and/or password set by the vendor, notes Todd Fitzgerald, Medicare systems security officer at National Government Services. Passwords such as "default," "system," "attack," "cisco," "tiger," "public," and "sun123" are commonly used by vendors, and users often forget to change them after switching the product on, he observes.

Such vendor passwords can be quickly found on the Internet through sites such as defaultpassword.com, which lists default passwords by vendor and product, Fitzgerald observes.

Commonly-guessed passwords may be regional in nature. A list of the "10 most common passwords" was passed around on the Web last year, but it was originated in the U.K. and included passwords such as "arsenal" and "liverpool," two popular British football teams. "I don't know what would have happened if we'd placed our servers [for the study] in another country," the University of Maryland's Cukier says. "It would be interesting to test."

Experts agree that shared passwords, once a common phenomenon in the data center, are now a major no-no. "Many times, on penetration testing engagements, I have found only one or two vulnerable hosts but was able to compromise hundreds or thousands of computers because they all shared common accounts," says Smith.

Strong passwords should contain at least eight characters, and should include numerals as well as upper and lower-case letters, experts say. One security expert recommends choosing a favorite eight or nine-word quote or phrase, then using the first or second letter from each word. "That makes it very easy to remember, but hard to guess."

In the long run, though, virtually all experts agree that the days of the reusable password are numbered. "Implementing one-time passwords, such as cryptocards or smart cards, is the way to go," says Smith.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14230
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
CVE-2019-14231
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
CVE-2019-14207
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
CVE-2019-14208
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
CVE-2019-14209
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.