24 November 2021

Hackers don’t even bother brute-forcing long passwords, Microsoft researcher says


Hackers don’t even bother brute-forcing long passwords, Microsoft researcher says

Security researchers have long stressed the importance of using strong, alphanumeric passwords to protect users’ accounts on social media platforms, payment services, etc. According to the data collected by Microsoft’s network of honeypot servers, only few attacks target accounts protected by long passwords or passwords with special characters.

Most cybercriminals launch brute-force attacks to guess short passwords and might not even bother trying to guess a password if it is too long or complex, according Microsoft security researcher Ross Bevington.

“I analysed the credentials entered from over >25 million brute force attacks against SSH. This is around 30 days of data in Microsoft’s sensor network. 77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases” Bevington told the Record.

The researcher said that only 7% of the brute-force attempts he analyzed contained a special character, 39% had at least one number, and none used passwords that included white space.

Based on data from more than 14 billion brute-force attacks launched by hackers against Microsoft’s honeypot server network, attacks on Remote Desktop Protocol (RDP) servers have tripled since 2020 (up 325%), Bevington said. Additionally, researchers observed an increase in attacks against network printing services (178%), as well as Docker and Kubernetes systems, which saw an increase of 110%.

“By default solutions like RDP are turned off but if you decide to turn them on, don’t put stuff straight on the Internet. Remember that attackers will go after any brute forcible remote admin protocol. If you must have yours accessible on the Internet use strong passwords, managed identity, MFA,” Bevington said.


Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021