Feeds

back to article MS honeypot research sheds light on brute-force hacks

Microsoft's honeypot-based research has highlighted common password mistakes, as well as shedding light on automated hacking techniques. Attack data collected from an FTP-server honeypot revealed that most attacks attempted to log into administrator accounts (Administrator and the French equivalent Administrateur were by far the …

COMMENTS

This topic is closed for new posts.

This post has been deleted by a moderator

Anonymous Coward

#!comment: ?

password, 123456, changeme and Fuckyou I all get. But where does "#!comment:" stem from?

1
0
FAIL

Re: #!comment:

Obviously many attackers are using a well known password.lst file as the basis of their attacks.

This file starts:

#!comment: This list has been compiled by Solar Designer of Openwall Project,

#!comment: http://www.openwall.com/wordlists/

#!comment:

#!comment: This is a list of passwords most commonly seen on a set of Unix

#!comment: systems in mid-1990's, sorted for decreasing number of occurrences

#!comment: (that is, more common passwords are listed first).

#!comment:

#!comment: Last update: 2005/12/16 (3107 entries)

or similar, then has a list of passwords.

So I think that there may be a certain amount of "parsing fail" on the part of the attackers, they're treating the comment lines at the top of the file as entries and using them as the basis for break-in attempts in addition to the proper entries in the file.

2
0
Thumb Up

Bonnet network?

Is this a new trend?

A line of servers wearing knitted hats?

Soooo cute!

0
0
FAIL

How DARE you take advantage of MY blithering idiot!

"A password-checking tool developed by Microsoft (here) allows users to check on the strength of the passwords they pick"

Try as I might, I could not bring myself to type a real password into the box. The more I thought about it, the more it felt like some kind of gullibility test.

'Microsoft found that 90% of users entered a valid password on their password checking page without even attempting to negotiate some sort of chocolate reward. "What a bunch of numpties" commented a despairing Bill Gates.'

2
0
Thumb Up

My favourite

Since I have to issue a lot of passwords to others on a daily basis I use pwgen for firefox.

https://addons.mozilla.org/en-US/firefox/addon/12441

0
0
Thumb Up

use pass phrase

instead of using passwords that are one word you should use pass phrases like "ilovetoeat" upper and lower i think help the most but just to get length they usually haven't computed hash for passwords that long and brute-force would take forever

0
0
Thumb Down

Wow

It took them 1 year to come to this? I have some very innocent server sitting at home and can get to those conclusions in a week. Actually not anymore as fail2ban is doing very good job nowadays ;)

Have a server online - have tons of attacks. Simple as that. Strong passwords should be a norm, unless you're US Military and want to invite some UFO seeking guys ;) Banning users after few unsuccessful attack also. Port stealthing, and so on. Any admin worth their pay knows this. Sadly not many MCSEs... (yeah, I'm one, still prefer Linux)

1
0
Silver badge
Go

No title is required

#!/usr/bin/perl

# Read number of characters to output from command line

$num = $ARGV[0]*1;

@chars = qw(0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z);

# We select chars from "@chars", thus one selection corresponds to:

{

my $bits = log(@chars)/log(2)*$num;

my $byte = $bits/8;

print "Outputting $num chars, which corresponds to $byte byte\n";

}

# Open /dev/random and read stuff

open(RAND,"</dev/random") or die "Could not open /dev/random for reading: $!";

$max = @chars;

{

use bytes;

for ($i=0;$i<$num;) {

my $read = sysread(RAND,$raw,1);

if ($read != 1) {

die "Got stop\n"

}

else {

$x = ord($raw);

if (0<=$x && $x<$max) {

print "$chars[$x]";

$i++;

}

}

}

}

print "\n";

0
0
Silver badge

Nice but .....

Where's your -w and your use strict; ?

1
0
Anonymous Coward

Or: head -c 6 /dev/urandom | uuencode -m -

Or: perl -we 'open(D,"<:raw", "/dev/urandom"); foreach (1..8) { do { read(D, $c, 1); } until ($c =~ /[a-z0-9]/i); print $c; } print "\n";'

Generally you're better off using /dev/urandom than /dev/random: it's not genuinely random, but it's cryptographically as strong as lots of other maths you already depend on, and it won't block.

By the way, is there any point to this advice about mixing upper and lower case? Even if you use a totally random mixture of cases in an 8-character password you've added less entropy then you'd get by adding a couple of random extra letters, but the extra letters would be easier to remember and easier to type. So perhaps, if you're using a randomly generated password, you should use just lower-case letters and make the password a bit longer, say 11 characters instead of 8.

1
0
FAIL

ms password checking tool.

I generated a bunch of random decimal numbers of lengths from 200 to 3600 digits, and asked it what it thought of them. It rated them all as 'weak'.

If microsoft believe a 3600-digit decimal number is easily guessable, that could explain why we have to buy new bloody computers every ten bleeding minutes to keep up with the exponentially-growing amount of crappy bloatware in their products. I can imagine the reasoning on their dev teams:

"Include a pre-startup process that solves the halting problem? Sure, why not, the suckers will just think it's time they got a faster cpu yet again. We'll slap a sticker on it and call it 'NP-ready' or something - leave marketing to worry about the details."

0
0
Silver badge

Weak password policy

Many organisations almost insist on weak passwords: by irrational devotion to password expiry, which has to be one of the most overrated security policies. The more important you are 'technically', the more passwords you have to remember. And quite often the IT support services will give the same person the same username on different environments, meaning that using similar passwords is more risky. Add a frequent expiry policy and you have a recipe for disaster: either passwords get too simple, or they get stored.

Can we have a campaign to bury password expiry please?

5
0
FAIL

Weak^H^H^H^Hpassword policy

Equally as awful is an overly descriptive password policy coupled to this.

One I saw stated that your pwd had to be at least eight chars including both upper and lower case and at least one number.

I pointed out that my guess, as it was a mixed "green screen" UNIX and PC environment, would be that 99% of them would be a dictionary word of seven letters with the first capitalised and either a "1" or a "0" on the end. The number of red faces amongst the sekkuritty dweebs round the table when I came up with that statement was very scary indeed.

0
0

I hate that too.

Personally, I take advantage of my admin rights to reset my passwords to the same thing before they expire -- then think of a better password at my own leisure.

I take issue with the "you must never make a note of your password" type "rules" -- it's perfectly OK to make a note of passwords -- just guard them the same way you would your credit card, cheque book, or keys.

Personally, I make a note of my (non-banking) passwords and store it in my wallet (without usernames or any explanation of what they are) -- that way if my wallet goes missing I can just reset my passwords while I'm on the phone to the credit card company.

0
0
FAIL

organisations almost insist on weak password

"organisations almost insist on weak password"

Barclays certainly does. For *online banking* : http://www.rachaelandtom.info/gallery/v/falken-random/fail/broken8e.png.html?g2_imageViewsIndex=1

0
0
Bronze badge
FAIL

MS password checker - lol

"sajjemmqvhhtnnviiantpwazzkabqweitn" is rated as weak

"password1" is rated as medium

"password1$" is rated as strong

5
0
FAIL

Too right.......

I work for a global multi mega corp over here in the UK and recently the Password policy for the intranet was beefed up (we still use IE6 on XP!) so I tried to set my new password to something along the lines of this:

six letter word spelled backwards _ number number

OK, so it wouldnt accept that regDab_36 was a strong enough password so I tried several other six and even seven letter words, varied the upper and lower case, special characters and numbers and I couldnt get anything to work. I then tried Pa$$word for a laugh................

Now when this got accepted (with a "Strong" in the password strength display) I couldnt beleive it so I actually contacted the Intranet security team and told them. Their response? Because the dictionary word was broken in the middle with special characters it was essentially a strong password. I asked them if they read any articles on hacking because I beleived that Password and variants (pa$$word, p@ssword, pas$w0rd) etc would be up in maybe the top 10 to 20 things to try but they told me that no, my password was good and secure!

I have to change it again this month, I wonder if I could use Pa££word for the next three months?

Anon because I dont want any crims breaking into my company intranet!

0
0

Re: Too right.......

If you use £ or anything else which is found in an 8-bit character set but not in ASCII, be certain that the same encoding is used wherever you need to enter the password which contains that…

0
0
Black Helicopters

Black Hats

"bonnet networks of compromised Windows PCs"

The hats are after us !!

0
0
FAIL

Test your password here....

...so I can add it to my dictionary!

0
0
Stop

Reg honestly... use the https link please

https://www.microsoft.com/protect/fraud/passwords/checker.aspx

Works just as well me thinks and has a little hint more of not being read in clear text...

SecurityBrad.com

0
0
FAIL

Gee, what an INTERESTING idea...

So let me get this straight -- Microsoft, in an effort to make my passwords more secure, is offering a tool for testing candidate passwords that is basically A WEB PAGE??? This is a Very Bad Idea for so many reasons, it's impossible to list them all. Just a few that occur to my paranoid brain right away:

1) Does the tool send my password over the 'Net to check it? Is it even encrypted? (The site isn't even https://...) What IS the tool, really? Can we audit its source? Can we trust it?

2) How do I know WHAT they're doing with my proposed passwords? If they store them, even anonymized for statistical purposes, their tools site (hosted, no doubt, on Windows, the world's most secure OS <snort>) just became Cracker Target Number One, as a gold mine of new dictionary entries for attack tools. (Hey, mebbe that's why MS built it to start with, to generate new strength-testing dictionaries.)

3) Let's say some evil genius manages to crack their server and edits the tool to report who has tested what passwords. We'll never know until/unless someone gets pwned because of this, traces it to the altered tool, and does a forensic analysis of the tool itself. In other words, we'd probably never find out.

Yep, sounds like a really good idea to me. I can't wait to test ALL my passwords with it. NOT!

0
1
Bronze badge

Uhh, No.

It clearly says on that page that it send your password over the internet. It's just a JavaScript app, you can read the whole thing here if you like:

https://www.microsoft.com/protect/assets/scripts/passwdcheck.js

I was surprised to see it does actually have a small dictionary built in, because it seemed like it was going by character composition almost exclusively.

0
0
WTF?

Nice effort, still a fail

I like the effort they are putting forth, but even their password check website is not secure(No SSL). Nothing like having someone sitting on the wire while you hand out your password in clear text...

Happy Happy.....

Maybe I'm being too paranoid....

0
0
Silver badge
FAIL

A password-checking tool developed by Microsoft

Pa$$w0rd is a strong password?

1
0
Silver badge
FAIL

Big fail

I've just followed the create a strong password link on the MS page and about two thirds of the way down it states

-----

Avoid using only look-alike substitutions of numbers or symbols

Criminals will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd".

-----

Both of which are rated as strong by their password checker.

1
0
Bronze badge
FAIL

kinda funny really...

That their honeypot is being attacked by WIndows bot-net pcs... HA HA HA HA

2
0
Anonymous Coward

@theodore

maybe you want to find what a honeypot is.

It's desgined to attract compromised pc's. A/V vendors use them, Anti-malware vendors uses them, MS uses them, and I really hope Linux teams use them.....you'll find Linux based sites are equally attacked by Windows pc's.

Now go back to sleep....

0
2

This post has been deleted by its author

Anonymous Coward

fail

Cat123Cat123Cat123 is uber strong apparantly

1
0

No surprise there

The fundamental problem is that the people defining "password strength" [1] can't do arithmetic and [2] are stuck in the past. They don't understand what contribution symbol space and field size actually make to the equation so they just go for what "looks complicated", and their assumptions about brute forcing are based on decades-old histories of offline cracking of UNIX password files, which is not the main current threat.

The two greatest single strength factors against brute force at a user interface are limited retries and backoff time. After that, non-obvious password choice (e.g. not "password"). I always recommend an acronym of a private but memorable phrase at least eight words long. The user doesn't have to remember a complex string of arbitrary characters (something our brains are generally bad at). Instead she remembers the phrase (something our brains are quite good at) and reconstructs the password each time she needs it by repeating the phrase to herself as she enters the password.

Assuming nothing but lower case letters, that yields roughly 2x10^11 (2 followed by eleven zeros) possible passwords, and the vast majority will not be dictionary words (unless you intentionally choose a phrase that has a dictionary word as an acronym). So let's arbitrarily and pessimistically throw away half of them to allow for bad choices. It's still 10^11. So statistically a brute forcer will need to make around 5x10^10 attempts. Limit the login interface to three failed attempts per, say, 15 minute interval or 12 per hour, and it will take about 490 thousand years on average to break in. By then you should have had some kind of admin alert from the system.

2
1
Badgers

Should have

but not if you're Twitter.

0
0
Alert

The author has missed a gift by Microsoft

If you type in #!comment: into Microsoft's password checker it declares it "medium strength"

How could the author have overlooked Microsoft being so dumb as to not include their own list of the 5 most unsafe passwords on their own password checker!!! It's a gift.

2
0
Bronze badge
WTF?

Insecure facilities

Using insecure facilities to test passwords, WTH?

Do MS give a damn at all? I'd be a little more convinced if a) altering a password by adding one digit did not have such a significant effect on the test result (as already observed) and b) they cared enough to use https.

Disappointed, very, I am, Yoda.

0
0
Pint

Easier Strong Passwords

Posted Friday 4th December 2009 09:50 GMT

Many sites restrict their passwords to 6 or 8 letters and digits which means you can never be secure there, so beware.

Often recommendations suggest gobbledygook such asg$@hj48(tHy^. These are hard to remember, and may also be subject to bias in choosing patterns on the keyboard - yes crackers do look for such patterns. Note, also, that a determined cracker with enough computing power can crack *any* password - we can only try our best.

Here are illustrative strong(ish) passwords. I leave it up yo you to discover how each construction may be remembered

la1-di2-da3!

!sho-@meh-#ow$

hum+pty)dum(pty*

line=egbdf&space=face

deli-cat-ess-en

Make your own. It's not that hard.

The Password Strength Meter may help. It failed some of the above :{

http://www.passwordmeter.com/

0
0

This post has been deleted by its author

This post has been deleted by a moderator

Please don't tell us when you delete posts, I _really_ want to know what they said that was so bad now... :)

0
0
Badgers

send me

Your password and login details and I will check them for a small fee.

Then I will sell them on.

As for bonnet networks.. are they black or white hats?

0
0
Silver badge
FAIL

MS definition of best password

Select at least three of the following

uppercase, lowercase, numerics, other characters

Use at least one from each group to make a fourteen character password, eg

Qw111111111111

Eight characer passwords are considered strong, eg Qw111111, which includes Pa$$w0rd mentioned previously.

0
0
Happy

Good password tool

XYZZY makes "pronouncable passwords", which are much easier to type than random gobbledygook. It is thus easy to create and type 10 or even 12-character passwords.

e.g:

litfulportne

phreplewaint

cordantishus

Get it from http://www.brothersoft.com/xyzzy-for-windows-download-90643.html

The original Haxial.com link no longer works.

0
0
(Written by Reg staff)

deleted

It should keep you on your toes.

1
0
FAIL

Another MS Fail!

I work for an IT firm who do an awful of pen-testing for our customers and recently we ran an off the shelf password cracking tools on our own network. I'd love to say we passed muster but the fella who left the scan running overnight, expecting it to take days found it had discoverd over 50% of our users' passwords about 15 hours!!

According to him and other flokes I've spoken to your password's not secure unless it's 14 characters or more and is not one or more dictionary words, and that includes special character substitution e.g. S - $, a - @, i - 1 etc. It's dead easy to find a tool that runs a dictionary attack, then runs it again substituting 1's for i's 0's for o's etc.

The most frustrating thing is the limit for my online banking is 12 characters, none special and then MS failing to preach the proper mantra, built from scratch with security in mind my a**e!!!

0
0
FAIL

Stron passwords

The problem with strong passwords is that you inevitably have to store them somewhere, especially if you have to have a different password for every application and even more so if you are forced to change your password every 45 days or so. So of course you keep all your passwords in some highly insecure file somewhere!

When I worked for a large mega-corp (that's since dwindled away to nothing) the password checker banned any password containing a "dictionary word". The dictionary must have contained words I never heard of, but missed out common English words where the American speling was different! The big problem with this strategy is that if you can identify the dictionary words it dramatically cuts down the number of combinations you need to try in a brute force attack.

0
0
Thumb Up

I tend to use phrases

with random capitalizations and number substitutions...

Although they can be quite long (>14 chars), they are easy to remember, and even with 3 monthly expiry, the same phrase can be used for a year at least just by changing which characters are capitalized / substituted.

0
0
Gold badge
Stop

forgive my ignorance

The 3 strikes and your blocked rule works pretty well for signing onto corporate IT servers.

I know that each bot in a botnet will have a seperate (spoofed ?) IP address but do they normaly spread their attemps out so much that each attempt will lok like a "first" attempt?

Also this behaviour seems a lot like a DDoS attack. Would the measures taken to counter one of those work quite well here?

I guess the long term solution would be to figure out which is the most commonly compromised computer type by OS and tighten up it its OS security. That would free up (IMHO ) a *lot* of bandwidth.

Does anyone know which OS that would be?

0
0
This topic is closed for new posts.