[ISN] Study: Weak passwords really do help hackers

From: InfoSec News (alerts@private)
Date: Tue Feb 06 2007 - 22:24:40 PST


By Todd R. Weiss
February 06, 2007 

Left online for 24 days to see how hackers would attack them, four Linux 
computers with weak passwords were hit by some 270,000 intrusion 
attempts -- about one attempt every 39 seconds, according to a study 
conducted by a researcher at the University of Maryland.

Among the key findings: Weak passwords really do make hackers' jobs much 
easier. The study also found that improved selection of usernames and 
associated passwords can make a big difference in whether attackers get 
into someone's computer.

The study was led by Michel Cukier, an assistant professor of mechanical 
engineering and an affiliate of the university's Clark School Center for 
Risk and Reliability and Institute for Systems Research. His goal was to 
look at how hackers behave when they attack computer systems -- and what 
they do once they gain access.

Using software tools that help hackers guess usernames and passwords, 
the study logged the most common words hackers tried to use to log into 
the systems. Cukier and two graduate students found that most attacks 
were conducted by hackers using dictionary scripts, which run through 
lists of common usernames and passwords in attempts to break into a 

Some 825 of the attacks were ultimately successful and the hackers were 
able to log into the systems. The study was conducted between Nov. 14 
and Dec. 8 at the school.

Cukier was not surprised by what he found. "Root" was the top guess by 
dictionary scripts in about 12.34% of the attempts, while "admin" was 
tried 1.63% of the time. The word "test" was tried as a username 1.12% 
of the time, while "guest" was tried 0.84% of the time, according to the 
experiment's logs.

The dictionary script software tried 43% of the time to use the same 
username word as a password to try to gain entrance into the affected 
systems, Cukier said. The reason, he said, is that hackers try for the 
simplest combinations because they just might work.

Once inside the systems, hackers conducted several typical inquiries, he 
said, including checking software configurations, changing passwords, 
checking the hardware and/or software configuration again, downloading a 
file, installing the downloaded program and then running it.

For IT security workers, the study reinforced the obvious. "Weak 
passwords are a real issue," Cukier said.

At the University of Maryland, users are told that passwords should 
include at least eight characters, with at least one uppercase letter 
and one lowercase. The school also recommends that at least one 
character be a number or punctuation symbol, Cukier said. All passwords 
should be changed every 180 days, according to the university's 

"That's really reasonable," Cukier said of the guidelines. "It's not 
helpful if the password is so complicated that people don't remember it 
and [therefore] write it down on a sticky note next to their computer."

Users can use the title of a favorite book for a password or even the 
first letters from a memorable sentence, he said. "They'll be easy for 
you to remember because you'll be able to remember the sentence ... 
without having to write it down," Cukier said.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Tue Feb 06 2007 - 22:37:23 PST