Remote Password Guessing - Follow-up - SANS Internet Storm Center

Remote Password Guessing - Follow-up
We received several responses to the earlier diary about remote password guessing. Melvin Klassen highlighted an important technique for mitigating the risks of remote password guessing: monitoring the logs on servers that authenticate users, such as POP, FTP, IMAP, web mail, telnet, and SSH. Melvin suggested counting the number of failed logon attempts and the number of logon attempts per source IP address, so that you can look for spikes and trends that may signal an attack. Gabriel Friedmann and Mark Senior reminded us of the large-scale phishing attack on MySpace, which allowed researchers to analyze password usage patterns. According to several reports (see 1, 2, 3), the most common passwords included: password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, monkey, cookie123, iloveyou, miss4you, password19, clumsy, sassy, pablobob, mobbie, fuckyou1, tink69, gospel, terrete, monster7, marlboro1, bitch1, flower Daniel Cid told us about an SSH honeypot he set up to monitor SSH brute force attempts and record the passwords used by them. The passwords he observed included: 1qaz2wsx, 1q2w3e4r5t6y, 1qaz2wsx3edc4rfv, qazwsxedcrfv, michael, work, maggie, print, 123456, internet, mobile, windows, superman, 1q2w3e4r, network, system, 123qwe, manager, querty, www, coder, 123123, 1234567890, info, tony, bill, flowers Nathaniel Hall described a system he uses to crack local password hashes using John the Ripper. The examples of common passwords that he encountered include: Cobra1, Dragon1, Travis1, Ferry1, Password8, Ynattirb1, Iloveyou5 Thanks to everyone who wrote in. -- Lenny Lenny Zeltser ISC Handler on Duty www.zeltser.com	Lenny 216 Posts Aug 1st 2007
Thread locked Subscribe	Aug 1st 2007 1 decade ago