We're still terrible at passwords

A new research report suggests that attackers are taking advantage of weak password management to gain access to corporate systems via two of the most popular protocols used for remote administration — Secure Shell (SSH) and Remote Desktop (RDP).

The ‘Good Passwords for Bad Bots’ report released by Rapid7 has found that general password health is poor, allowing would-be attackers to access online accounts and corporate networks.

With the increasing adoption of both remote work and cloud infrastructures, the number of people accessing corporate information systems across the internet has skyrocketed. Many of these systems leverage RDP and SSH for interaction and management. As a result, the ‘walled garden’ approach that once allowed companies to secure their perimeters and force employees to work only on corporate networks has faded, and the number of untrusted networks they use to connect from has jumped.

The report is part of Rapid7’s series of research papers that analyse attacker behaviour in a risk-free environment, with the findings shared to help prepare organisations for the types of cyber attacks they can expect to encounter.

“What we found in this research in many ways confirmed our assumptions that attackers aren’t ‘cracking’ passwords on the internet and that, despite the much-publicised risks and threats, we still collectively stink at password management,” said Tod Beardsley, Director of Research at Rapid7.

For this report, Rapid7 used its network of a few hundred honeypots to monitor SSH and RDP login attempts. After looking at authentication attempts (as opposed to vulnerability exploit attempts, low-touch scans, etc), Rapid7 found 512,002 unique passwords were attempted to be used by attackers. From here, the researchers turned to the rockyou2021.txt list to determine how many of those passwords existed in this industry-standard list of exposed passwords.

“Prepare to be shocked: nearly all of them were,” Beardsley said.

“In fact, we found that just 14 of the passwords being brute-forced into our honeypots were not part of the rockyou2021.txt file, and we think those were likely errors as they included a string of the honeypots’ IP addresses in them.”

There are approximately 8.4 billion passwords on the rockyou2021.txt file and Rapid7 found less than half a million in its honeypots. Rapid7 says what’s more likely to happen is attackers still rely on the human connection to security infrastructure, which is notoriously one of the weakest links in the chain.

“Social engineering tactics, like phishing for passwords and credential stuffing, are still stronger ways for attackers to gain access to passwords than cracking them automatically,” said Erick Galinkin, Principal Artificial Intelligence Researcher at Rapid7.

“What this tells us in practicality is that it’s not terribly hard to avoid this class of attack. In fact, some of the most attacked credentials were ones that should make any internet-literate person facepalm hard.”

Rapid7 found the three most popular usernames for RDP were ‘administrator’, ‘user’ and ‘admin’, and the three most common passwords were ‘root’, ‘admin’ and ‘nproc’.

“We’re simply not doing well enough with our passwords, and it just doesn’t need to be that way in this day and age,” Galinkin said.

“It’s not hard to beat this kind of attack and you don’t even have to have a particularly strong password in order to protect yourself; just one with randomness in it, such as a few arbitrary characters.”

The company suggests not reusing a password for multiple logins and to avoid default passwords. The company says all of these problems would be covered by the use of password manager services, which create unique, random passwords for users.

“These services are a strong but sadly underutilised way to have good credential hygiene,” Galinkin said.

The report can be downloaded here.

Image credit: iStock.com/designer491