Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Remote Password Guessing - Follow-up InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Remote Password Guessing - Follow-up

Published: 2007-08-01
Last Updated: 2007-08-02 01:18:13 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)

We received several responses to the earlier diary about remote password guessing.

Melvin Klassen highlighted an important technique for mitigating the risks of remote password guessing: monitoring the logs on servers that authenticate users, such as POP, FTP, IMAP, web mail, telnet, and SSH. Melvin suggested counting the number of failed logon attempts and the number of logon attempts per source IP address, so that you can look for spikes and trends that may signal an attack.

Gabriel Friedmann and Mark Senior reminded us of the large-scale phishing attack on MySpace, which allowed researchers to analyze password usage patterns. According to several reports (see 1, 2, 3), the most common passwords included:

password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, monkey, cookie123, iloveyou, miss4you, password19, clumsy, sassy, pablobob, mobbie, fuckyou1, tink69, gospel, terrete, monster7, marlboro1, bitch1, flower

Daniel Cid told us about an SSH honeypot he set up to monitor SSH brute force attempts and record the passwords used by them. The passwords he observed included:

1qaz2wsx, 1q2w3e4r5t6y, 1qaz2wsx3edc4rfv, qazwsxedcrfv, michael, work, maggie, print, 123456, internet, mobile, windows, superman, 1q2w3e4r, network, system, 123qwe, manager, querty, www, coder, 123123, 1234567890, info, tony, bill, flowers

Nathaniel Hall described his process of cracking local LDAP password hashes using John the Ripper, through which he identified the following common passwords:

Cobra1, Dragon1, Travis1, Ferry1, Password8, Ynattirb1, Iloveyou5

Paul Dabrowski pointed out the importance of validating a user's secret question answers to ensure they don't include the actual password. He emphasized that "in addition to dictionary checks that some services make against submitted passwords, the password hint should be compared to the submitted password to plug up that little hole."

Thanks to everyone who wrote in.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com

Keywords:
0 comment(s)
Diary Archives