Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Top 10 Admin Passwords to Avoid

Don't want hackers to guess the password for that critical server or application? Stay away from these

In the end, it's all a big guessing game. You create passwords to protect your systems; hackers try to guess the password you created.

It's a game that's going on all the time. As we reported last week, researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period. (See Study: Two Hacks a Minute.)

During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day. And these were relatively anonymous servers, sitting in a university data center and intentionally loaded with mundane, uninteresting data. We can only imagine what these attempt statistics might look like at, say, Bank of America or the U.S. Department of Defense.

So while most security discussions take passwords for granted or treat them as outmoded, the guessing game clearly continues. With this in mind, we asked some experts to comment on the most frequently-used (and guessed) administrative passwords, and how to avoid them.

The University of Maryland was our first stop, since they had just completed the study on this very topic. According to Michel Cukier, the professor who led the study, here are the most commonly-guessed passwords in cyberspace, in order of frequency:

  • 1. (username)
  • 2. (username)123
  • 3. 123456
  • 4. password
  • 5. 1234
  • 6. 12345
  • 7. passwd
  • 8. 123
  • 9. test
  • 10. 1

Other experts chipped in a few of their own. Val Smith, CTO of Offensive Computing LLC, notes five that didn't land in the university's top 10: "admin1," "changeme," "dontforget," and "letmein."

"Attackers are generally looking for the username and password that will bring them the greatest reward," notes Cukier. As a result, the username "root" -- which traditionally has given administrators access to multiple systems at the root level -- is by far the most frequently-guessed, with "admin" finishing a distant second.

In many cases, the attacker will simply type in a likely username, and then guess that the password will be the same, or almost the same, as the username, Cukier says. In the study, hackers tried the username as the password 43 percent of the time.

Another common hacker strategy is to try the default username and/or password set by the vendor, notes Todd Fitzgerald, Medicare systems security officer at National Government Services. Passwords such as "default," "system," "attack," "cisco," "tiger," "public," and "sun123" are commonly used by vendors, and users often forget to change them after switching the product on, he observes.

Such vendor passwords can be quickly found on the Internet through sites such as defaultpassword.com, which lists default passwords by vendor and product, Fitzgerald observes.

Commonly-guessed passwords may be regional in nature. A list of the "10 most common passwords" was passed around on the Web last year, but it was originated in the U.K. and included passwords such as "arsenal" and "liverpool," two popular British football teams. "I don't know what would have happened if we'd placed our servers [for the study] in another country," the University of Maryland's Cukier says. "It would be interesting to test."

Experts agree that shared passwords, once a common phenomenon in the data center, are now a major no-no. "Many times, on penetration testing engagements, I have found only one or two vulnerable hosts but was able to compromise hundreds or thousands of computers because they all shared common accounts," says Smith.

Strong passwords should contain at least eight characters, and should include numerals as well as upper and lower-case letters, experts say. One security expert recommends choosing a favorite eight or nine-word quote or phrase, then using the first or second letter from each word. "That makes it very easy to remember, but hard to guess."

In the long run, though, virtually all experts agree that the days of the reusable password are numbered. "Implementing one-time passwords, such as cryptocards or smart cards, is the way to go," says Smith.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...