[TheRecord] Attackers don’t bother brute-forcing long passwords, Microsoft engineer says

According to data collected by Microsoft’s network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters.

“I analysed the credentials entered from over >25 million brute force attacks against SSH. This is around 30 days of data in Microsoft’s sensor network,” said Ross Bevington, a security researcher at Microsoft.

“77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases,” said Bevington, who works as Head of Deception at Microsoft, a position in which he’s tasked with creating legitimate-looking honeypot systems in order to study attacker trends.

Image: Ross Bevington

Bevington says that only 7% of the brute-force attempts he analyzed in the sample data included a special character. In addition, 39% actually had at least one number, and none of the brute-force attempts used passwords that included white space.

The researcher’s findings suggest that longer passwords that include special characters are most likely safe from the vast majority of brute-force attacks, as long as they haven’t been leaked online and are part of attackers’ brute-forcing dictionaries.

RDP brute-force attacks tripled this year

In addition, Bevington said that based on data from more than 14 billion brute-force attacks attempted against Microsoft’s network of honeypot servers —also known as a sensor network— until September this year, attacks on Remote Desktop Protocol (RDP) servers have tripled compared to 2020, seeing a rise of 325%.

Network printing services also saw an increase of 178%, as well as Docker and Kubernetes systems, which saw an increase of 110%.

“Stats on SSH & VNC are just as bad – they just hasn’t changed that much since last year,” Bevington said.

“By default solutions like RDP are turned off but if you decide to turn them on, don’t put stuff straight on the Internet. Remember that attackers will go after any brute forcible remote admin protocol. If you must have yours accessible on the Internet use strong passwords, managed identity, MFA,” the Microsoft manager said.

The post Attackers don’t bother brute-forcing long passwords, Microsoft engineer says appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-10-09

We Hacked Apple for 3 Months: Here’s What We Found samcurry.net/hacking-apple/ There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. As of now, October 8th, we have received 32 payments totaling $288, 500 for various vulnerabilities. However, it appears that Apple […]

Read More

[ThreatPost] DoJ Charges Rhode Island Woman in Phishing Scheme Against Politicians

All posts, ThreatPost

Diana Lebeau allegedly tried to trick candidates for public office and related individuals into giving up account credentials by impersonating trusted associates and the Microsoft security team. Source: Read More (Threatpost)

Read More

[SecurityWeek] Report: Suspected Chinese Hack Targets Indian Media, Gov’t

All posts, Security Week

A U.S.-based private cybersecurity company said Wednesday it has uncovered evidence that an Indian media conglomerate, a police department and the agency responsible for the country’s national identification database have been hacked, likely by a state-sponsored Chinese group. read more Source: Read More (SecurityWeek RSS Feed)

Read More