Password Attacks – A Small Server Experiment
There are a lot of statistics about what is the most prolific passwords we use to login to our online accounts. What we were interested in was what passwords are being used to guess logons to online systems. We setup a WordPress website and started logging passwords tried against that website. Here are some results after about 5 months of monitoring and over 11,000 of logged attacks.
The total number of passwords we logged was 11,312. This set contained 4,421 different passwords. We could split all passwords into several distinct groups:
- number passwords – contain only digits.
- names – first names
- popular passwords – passwords that rank high in known statistics
- keyboard friendly – characters are next to each other on keyboard
- website related – use the website name and/or usernames on the website
- topical – e.g., StarTrek related, football related, and so on.
Here are three graphs to show distribution of password guesses. You can see that a large fraction of guesses uses just a small subset of passwords. I believe the main reason is that attacks are distributed and run from a number of independent servers at the same time. This means that most popular passwords are still tried many times.
X axis shows of the next diagram shows the number of different passwords, Y axis what fraction of all attacks these passwords represent.
This last chart is a detail of the previous one when we look at the left-hand side of the graph and show how often the most popular passwords were tested.
Which Passwords To Avoid
It seems to be a very bad idea to use password consisting of only digits. We have logged passwords of 1 digit to passwords of 12 digits. As such, even a long number does not help. 22% of all guesses used number passwords.
Another bad idea is to use a name as your password, be it the name of your girlfriend or son. The number of names being tested is very high indeed.
Obvious often used passwords is another thing to avoid. Here is a selection of “password” variations we found: Password!, P@ssw0rd1, P@$w0rd, pa$$w0rd, password12345, pass1234, pa$$word, Pa55word, pass12, p4ssw0rd, p@55w0rd.
Finally, if you believe that qwezxczasda is a good password, think twice. Passwords made form keys that are close to each other are not so often but I was still surprised by some of them. Here is again a small selection: q1q1q1, qwertuiop, ytngfh, k,jdm, qweasd123, 123asd, qazwsxedcrfv.
The biggest surprise however was when we identified passwords that used names of post authors as well as the website’s URL. There were more than 10 variations of one of the author’s name and even more passwords made from the website’s name and “padding” (like 11111, 12345, pass, …).
Most Often Tested Passwords
Interestingly, even passwords forming the first 10% of all guess attacks were quite different from when the “official” top ten of passwords at the time. Here is our top 33.