Attackers usually don`t brute-force long passwords

Microsoft’s network of honeypot servers data showed that very few attacks targeted long and complex credentials. Instead, they primarily focus on short passwords. Ross Bevington, a security researcher at Microsoft, analyzed the credentials entered from over 25 million brute-force attacks against SSH. This is around 30 days of data in Microsoft’s sensor network.

Passwords of over 10 characters saw only 6% of attack cases

“77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases,” said Bevington.

Also according to him only 7% of the brute-force attempts targeted passwords with a special character. In 39% of cases, passwords had at least one number. And there were no attacks involved with the white space passwords. Bevington as an addition provided statistics on brute-force attacks. And it shows that more than 14 billion brute-force attacks were attempted against Microsoft’s network of honeypot servers (a sensor network). That`s including attacks on Remote Desktop Protocol (RDP) servers until September this year have tripled compared to 325%.

Docker and Kubernetes systems share a 110% increase in attacks and Network printing services also saw an increase of 178%. Bevington added in regard to stats that numbers on SSH & VNC are just as bad. And they just haven’t changed that much since last year.

It’s evident that longer passwords that consist of special characters are most likely safe from the wide number of brute-force attacks. But of course it is as long as they didn’t end up at attackers’ brute-forcing dictionaries or have not been leaked online.

Attackers usually don`t brut-force long passwords
One of cracking passwords tool Hashcat

The Microsoft manager advised to use strong passwords, managed identity, and MFA if you open yours to the Internet. Because attackers will go after any brute forcible remote admin protocol. By default solutions like RDP are turned off but if you decide to turn them on, don’t put stuff straight on the Internet.

What does brute-force mean?

A brute-force attack is quite a popular password cracking method that means an attacker will try to guess password and username to get unauthorized access to a system, to say it short. This particular method of attack has a high success rate and accounts for five percent of confirmed security breaches.

Some attackers may still perform the brute-force manually but in most cases, it`s bots who do this job. They will go through the list of real or just common credentials and try to use them to notify an attacker if access is gained. The motivation behind brute force may include infecting sites with malware, disrupting service, or stealing information. Whatever the attacker plans it’s always better to prevent such incidents and to do so just use complex and long passwords that will surely keep you safe.


Read Ukrainian Ukraine Flag

About Andy

Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

Check Also

Another Windows zero day allows for admin privileges

Another Windows zero day allows for admin privileges

Researcher Abdelhamid Naceri who often reports on Windows bugs this time dropped a working proof-of-concept …

Conti`s Ransomware Data Leakage

Conti`s Ransomware Data Leakage

A Swiss PRODAFT Threat Intelligence (PTI) Team recently published a report on their findings that …

Leave a Reply