Almost a year ago, the Microsoft Malware Protection Center launched a honeypot FTP server with the intention of researching the attacks that normal users are subjected on an everyday basis.
Among other things they looked at, here is what they discovered regarding the usernames and passwords used in FTP dictionary-based attacks:
- Longest user name: 15 chars
- Longest password: 29 chars
- Average user name length: 6 chars
- Average password length: 8 chars.
It didn’t came as a surprise that the most common tried user names are: “Administrator”, “Administrateur” and a sligly less popular “admin”, followed by first names like “andrew”, “dave” and “steve”.
The most common tried passwords were also expected: “password” and “123456”. “#!comment:”, “changeme”, “F**kyou” (edited) and “abc123” were tried 5 to 6 times less times than the first two.
This information should be know to everybody and used as a list of things to avoid. Every password can be cracked if given enough time. The dictionary attack software is getting stronger, so the least you can do is make your password so complex that it will take a long, long time to crack it or – hopefully – make the attacker cease the attack and move on.
When choosing a strong password you should keep in mind that it should contain letters (upper AND lowercase), numbers, AND special characters, and that it’s preferable for it to be lengthy or, at least, longer than the average 8 characters.
Andrey Belenko, IT security analyst with Elcomsoft comments: “DO NOT use same password for different systems/accounts, i.e. ERP system and webmail account. Systems have flaws (as well as humans do) and compromising one system/account should not lead to compromising other.
When it comes to changing passwords while thinking about convenience vs. security, Mr. Belenko said: “The whole idea of changing passwords is to limit exposure and damage if password is compromised, so password lifetime depends on level of access granted. Higher access levels should correspond to shorter password lifetimes. For non-critical account password expiration period of 60-90 days is usually good enough choice – not too annoying for users and provides fair level of security.”