Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Top 10 Admin Passwords to Avoid

Don't want hackers to guess the password for that critical server or application? Stay away from these

In the end, it's all a big guessing game. You create passwords to protect your systems; hackers try to guess the password you created.

It's a game that's going on all the time. As we reported last week, researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period. (See Study: Two Hacks a Minute.)

During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day. And these were relatively anonymous servers, sitting in a university data center and intentionally loaded with mundane, uninteresting data. We can only imagine what these attempt statistics might look like at, say, Bank of America or the U.S. Department of Defense.

So while most security discussions take passwords for granted or treat them as outmoded, the guessing game clearly continues. With this in mind, we asked some experts to comment on the most frequently-used (and guessed) administrative passwords, and how to avoid them.

The University of Maryland was our first stop, since they had just completed the study on this very topic. According to Michel Cukier, the professor who led the study, here are the most commonly-guessed passwords in cyberspace, in order of frequency:

  • 1. (username)
  • 2. (username)123
  • 3. 123456
  • 4. password
  • 5. 1234
  • 6. 12345
  • 7. passwd
  • 8. 123
  • 9. test
  • 10. 1

Other experts chipped in a few of their own. Val Smith, CTO of Offensive Computing LLC, notes five that didn't land in the university's top 10: "admin1," "changeme," "dontforget," and "letmein."

"Attackers are generally looking for the username and password that will bring them the greatest reward," notes Cukier. As a result, the username "root" -- which traditionally has given administrators access to multiple systems at the root level -- is by far the most frequently-guessed, with "admin" finishing a distant second.

In many cases, the attacker will simply type in a likely username, and then guess that the password will be the same, or almost the same, as the username, Cukier says. In the study, hackers tried the username as the password 43 percent of the time.

Another common hacker strategy is to try the default username and/or password set by the vendor, notes Todd Fitzgerald, Medicare systems security officer at National Government Services. Passwords such as "default," "system," "attack," "cisco," "tiger," "public," and "sun123" are commonly used by vendors, and users often forget to change them after switching the product on, he observes.

Such vendor passwords can be quickly found on the Internet through sites such as defaultpassword.com, which lists default passwords by vendor and product, Fitzgerald observes.

Commonly-guessed passwords may be regional in nature. A list of the "10 most common passwords" was passed around on the Web last year, but it was originated in the U.K. and included passwords such as "arsenal" and "liverpool," two popular British football teams. "I don't know what would have happened if we'd placed our servers [for the study] in another country," the University of Maryland's Cukier says. "It would be interesting to test."

Experts agree that shared passwords, once a common phenomenon in the data center, are now a major no-no. "Many times, on penetration testing engagements, I have found only one or two vulnerable hosts but was able to compromise hundreds or thousands of computers because they all shared common accounts," says Smith.

Strong passwords should contain at least eight characters, and should include numerals as well as upper and lower-case letters, experts say. One security expert recommends choosing a favorite eight or nine-word quote or phrase, then using the first or second letter from each word. "That makes it very easy to remember, but hard to guess."

In the long run, though, virtually all experts agree that the days of the reusable password are numbered. "Implementing one-time passwords, such as cryptocards or smart cards, is the way to go," says Smith.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31922
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
CVE-2021-32051
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...