Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Top 10 Admin Passwords to Avoid

Don't want hackers to guess the password for that critical server or application? Stay away from these

In the end, it's all a big guessing game. You create passwords to protect your systems; hackers try to guess the password you created.

It's a game that's going on all the time. As we reported last week, researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period. (See Study: Two Hacks a Minute.)

During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day. And these were relatively anonymous servers, sitting in a university data center and intentionally loaded with mundane, uninteresting data. We can only imagine what these attempt statistics might look like at, say, Bank of America or the U.S. Department of Defense.

So while most security discussions take passwords for granted or treat them as outmoded, the guessing game clearly continues. With this in mind, we asked some experts to comment on the most frequently-used (and guessed) administrative passwords, and how to avoid them.

The University of Maryland was our first stop, since they had just completed the study on this very topic. According to Michel Cukier, the professor who led the study, here are the most commonly-guessed passwords in cyberspace, in order of frequency:

  • 1. (username)
  • 2. (username)123
  • 3. 123456
  • 4. password
  • 5. 1234
  • 6. 12345
  • 7. passwd
  • 8. 123
  • 9. test
  • 10. 1

Other experts chipped in a few of their own. Val Smith, CTO of Offensive Computing LLC, notes five that didn't land in the university's top 10: "admin1," "changeme," "dontforget," and "letmein."

"Attackers are generally looking for the username and password that will bring them the greatest reward," notes Cukier. As a result, the username "root" -- which traditionally has given administrators access to multiple systems at the root level -- is by far the most frequently-guessed, with "admin" finishing a distant second.

In many cases, the attacker will simply type in a likely username, and then guess that the password will be the same, or almost the same, as the username, Cukier says. In the study, hackers tried the username as the password 43 percent of the time.

Another common hacker strategy is to try the default username and/or password set by the vendor, notes Todd Fitzgerald, Medicare systems security officer at National Government Services. Passwords such as "default," "system," "attack," "cisco," "tiger," "public," and "sun123" are commonly used by vendors, and users often forget to change them after switching the product on, he observes.

Such vendor passwords can be quickly found on the Internet through sites such as defaultpassword.com, which lists default passwords by vendor and product, Fitzgerald observes.

Commonly-guessed passwords may be regional in nature. A list of the "10 most common passwords" was passed around on the Web last year, but it was originated in the U.K. and included passwords such as "arsenal" and "liverpool," two popular British football teams. "I don't know what would have happened if we'd placed our servers [for the study] in another country," the University of Maryland's Cukier says. "It would be interesting to test."

Experts agree that shared passwords, once a common phenomenon in the data center, are now a major no-no. "Many times, on penetration testing engagements, I have found only one or two vulnerable hosts but was able to compromise hundreds or thousands of computers because they all shared common accounts," says Smith.

Strong passwords should contain at least eight characters, and should include numerals as well as upper and lower-case letters, experts say. One security expert recommends choosing a favorite eight or nine-word quote or phrase, then using the first or second letter from each word. "That makes it very easy to remember, but hard to guess."

In the long run, though, virtually all experts agree that the days of the reusable password are numbered. "Implementing one-time passwords, such as cryptocards or smart cards, is the way to go," says Smith.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...