News

Attackers usually don`t brute-force long passwords

Microsoft’s network of honeypot servers data showed that very few attacks targeted long and complex credentials. Instead, they primarily focus on short passwords. Ross Bevington, a security researcher at Microsoft, analyzed the credentials entered from over 25 million brute-force attacks against SSH. This is around 30 days of data in Microsoft’s sensor network.

Passwords of over 10 characters saw only 6% of attack cases

“77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases,” said Bevington.

Also according to him only 7% of the brute-force attempts targeted passwords with a special character. In 39% of cases, passwords had at least one number. And there were no attacks involved with the white space passwords. Bevington as an addition provided statistics on brute-force attacks. And it shows that more than 14 billion brute-force attacks were attempted against Microsoft’s network of honeypot servers (a sensor network). That`s including attacks on Remote Desktop Protocol (RDP) servers until September this year have tripled compared to 325%.

Docker and Kubernetes systems share a 110% increase in attacks and Network printing services also saw an increase of 178%. Bevington added in regard to stats that numbers on SSH & VNC are just as bad. And they just haven’t changed that much since last year.

It’s evident that longer passwords that consist of special characters are most likely safe from the wide number of brute-force attacks. But of course it is as long as they didn’t end up at attackers’ brute-forcing dictionaries or have not been leaked online.

One of cracking passwords tool Hashcat

The Microsoft manager advised to use strong passwords, managed identity, and MFA if you open yours to the Internet. Because attackers will go after any brute forcible remote admin protocol. By default solutions like RDP are turned off but if you decide to turn them on, don’t put stuff straight on the Internet.

What does brute-force mean?

A brute-force attack is quite a popular password cracking method that means an attacker will try to guess password and username to get unauthorized access to a system, to say it short. This particular method of attack has a high success rate and accounts for five percent of confirmed security breaches.

Some attackers may still perform the brute-force manually but in most cases, it`s bots who do this job. They will go through the list of real or just common credentials and try to use them to notify an attacker if access is gained. The motivation behind brute force may include infecting sites with malware, disrupting service, or stealing information. Whatever the attacker plans it’s always better to prevent such incidents and to do so just use complex and long passwords that will surely keep you safe.


Read Ukrainian

Andrew Nail

Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

Recent Posts

Remove Chernars.com Pop-up Ads

About Chernars.com Chernars.com pop-ups can not open out of nowhere. If you have actually clicked…

14 hours ago

Remove Eclipse-adblocker.pro Pop-up Ads

About Eclipse-adblocker.pro Eclipse-adblocker.pro pop-ups can not open out of nowhere. If you have actually clicked…

14 hours ago

Remove Initiateadvancedcompletelythe-file.top Pop-up Ads

About Initiateadvancedcompletelythe-file.top Initiateadvancedcompletelythe-file.top pop-ups can not open out of nowhere. If you have actually clicked…

14 hours ago

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

3 days ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

3 days ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

3 days ago