Study: Weak passwords really do help hackers
Four computers left online for 24 days were hit by 270,000 hacking attempts
Computerworld - Left online for 24 days to see how hackers would attack them, four Linux computers with weak passwords were hit by some 270,000 intrusion attempts -- about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland.
Among the key findings: Weak passwords really do make hackers' jobs much easier. The study also found that improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.
The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems -- and what they do once they gain access.
Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.
Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between Nov. 14 and Dec. 8 at the school.
Cukier was not surprised by what he found. "Root" was the top guess by dictionary scripts in about 12.34% of the attempts, while "admin" was tried 1.63% of the time. The word "test" was tried as a username 1.12% of the time, while "guest" was tried 0.84% of the time, according to the experiment's logs.
The dictionary script software tried 43% of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.
Once inside the systems, hackers conducted several typical inquiries, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, downloading a file, installing the downloaded program and then running it.
For IT security workers, the study reinforced the obvious. "Weak passwords are a real issue," Cukier said.
At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.
"That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."
Users can use the title of a favorite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence ... without having to write it down," Cukier said.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts