Password Attacks – A Small Server Experiment

This short post looks at passwords attacks that were launched during 5 months’ period against a small web server of ours in 2013.

There are a lot of statistics about what is the most prolific passwords we use to login to our online accounts. What we were interested in was what passwords are being used to guess logons to online systems. We setup a WordPress website and started logging passwords tried against that website. Here are some results after about 5 months of monitoring and over 11,000 of logged attacks.

The total number of passwords we logged was 11,312. This set contained 4,421 different passwords. We could split all passwords into several distinct groups:

  • number passwords – contain only digits.
  • names – first names
  • popular passwords – passwords that rank high in known statistics
  • keyboard friendly – characters are next to each other on keyboard
  • website related – use the website name and/or usernames on the website
  • topical – e.g., StarTrek related, football related, and so on.

Here are three graphs to show distribution of password guesses. You can see that a large fraction of guesses uses just a small subset of passwords. I believe the main reason is that attacks are distributed and run from a number of independent servers at the same time. This means that most popular passwords are still tried many times.

Length of passwords that attackers tried against our web server.

X axis shows of the next diagram shows the number of different passwords, Y axis what fraction of all attacks these passwords represent.

Cumulative probability of guessing passwords
Attacks certainly didn’t guess at random – clear skew towards weeks passwords

This last chart is a detail of the previous one when we look at the left-hand side of the graph and show how often the most popular passwords were tested.

Most common passwords tested against the website.

Which Passwords To Avoid

It seems to be a very bad idea to use password consisting of only digits. We have logged passwords of 1 digit to passwords of 12 digits. As such, even a long number does not help. 22% of all guesses used number passwords.

Another bad idea is to use a name as your password, be it the name of your girlfriend or son. The number of names being tested is very high indeed.

Obvious often used passwords is another thing to avoid. Here is a selection of “password” variations we found: Password!, P@ssw0rd1, P@$w0rd, pa$$w0rd, password12345, pass1234, pa$$word, Pa55word, pass12, p4ssw0rd, p@55w0rd.

Finally, if you believe that qwezxczasda is a good password, think twice. Passwords made form keys that are close to each other are not so often but I was still surprised by some of them. Here is again a small selection: q1q1q1, qwertuiop, ytngfh, k,jdm, qweasd123, 123asd, qazwsxedcrfv.

The biggest surprise however was when we identified passwords that used names of post authors as well as the website’s URL. There were more than 10 variations of one of the author’s name and even more passwords made from the website’s name and “padding” (like 11111, 12345, pass, …).

Most Often Tested Passwords

Interestingly, even passwords forming the first 10% of all guess attacks were quite different from when the “official” top ten of passwords at the time. Here is our top 33.

admin1234 Password! internet:) 23946587 123456789
P@ssw0rd1 qwerty1 nursing naked admin_id
michelle1 tuborg pass1 P@ssword123 nemesis
ibanez eugene 56789q danny connect chantal buttons baseball1 qweqweqwe
liliana control administrator1 987654321 12345
101012474 stacey Passw0rd1

Leave a Reply

Your email address will not be published. Required fields are marked *