Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Top 10 Admin Passwords to Avoid

Don't want hackers to guess the password for that critical server or application? Stay away from these

In the end, it's all a big guessing game. You create passwords to protect your systems; hackers try to guess the password you created.

It's a game that's going on all the time. As we reported last week, researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period. (See Study: Two Hacks a Minute.)

During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day. And these were relatively anonymous servers, sitting in a university data center and intentionally loaded with mundane, uninteresting data. We can only imagine what these attempt statistics might look like at, say, Bank of America or the U.S. Department of Defense.

So while most security discussions take passwords for granted or treat them as outmoded, the guessing game clearly continues. With this in mind, we asked some experts to comment on the most frequently-used (and guessed) administrative passwords, and how to avoid them.

The University of Maryland was our first stop, since they had just completed the study on this very topic. According to Michel Cukier, the professor who led the study, here are the most commonly-guessed passwords in cyberspace, in order of frequency:

  • 1. (username)
  • 2. (username)123
  • 3. 123456
  • 4. password
  • 5. 1234
  • 6. 12345
  • 7. passwd
  • 8. 123
  • 9. test
  • 10. 1

Other experts chipped in a few of their own. Val Smith, CTO of Offensive Computing LLC, notes five that didn't land in the university's top 10: "admin1," "changeme," "dontforget," and "letmein."

"Attackers are generally looking for the username and password that will bring them the greatest reward," notes Cukier. As a result, the username "root" -- which traditionally has given administrators access to multiple systems at the root level -- is by far the most frequently-guessed, with "admin" finishing a distant second.

In many cases, the attacker will simply type in a likely username, and then guess that the password will be the same, or almost the same, as the username, Cukier says. In the study, hackers tried the username as the password 43 percent of the time.

Another common hacker strategy is to try the default username and/or password set by the vendor, notes Todd Fitzgerald, Medicare systems security officer at National Government Services. Passwords such as "default," "system," "attack," "cisco," "tiger," "public," and "sun123" are commonly used by vendors, and users often forget to change them after switching the product on, he observes.

Such vendor passwords can be quickly found on the Internet through sites such as defaultpassword.com, which lists default passwords by vendor and product, Fitzgerald observes.

Commonly-guessed passwords may be regional in nature. A list of the "10 most common passwords" was passed around on the Web last year, but it was originated in the U.K. and included passwords such as "arsenal" and "liverpool," two popular British football teams. "I don't know what would have happened if we'd placed our servers [for the study] in another country," the University of Maryland's Cukier says. "It would be interesting to test."

Experts agree that shared passwords, once a common phenomenon in the data center, are now a major no-no. "Many times, on penetration testing engagements, I have found only one or two vulnerable hosts but was able to compromise hundreds or thousands of computers because they all shared common accounts," says Smith.

Strong passwords should contain at least eight characters, and should include numerals as well as upper and lower-case letters, experts say. One security expert recommends choosing a favorite eight or nine-word quote or phrase, then using the first or second letter from each word. "That makes it very easy to remember, but hard to guess."

In the long run, though, virtually all experts agree that the days of the reusable password are numbered. "Implementing one-time passwords, such as cryptocards or smart cards, is the way to go," says Smith.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2319
PUBLISHED: 2019-12-12
HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
CVE-2019-2320
PUBLISHED: 2019-12-12
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
CVE-2019-2321
PUBLISHED: 2019-12-12
Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
CVE-2019-2337
PUBLISHED: 2019-12-12
While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
CVE-2019-2338
PUBLISHED: 2019-12-12
Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...