{"id":5724,"date":"2014-06-12T10:00:01","date_gmt":"2014-06-12T14:00:01","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5724"},"modified":"2014-06-12T10:00:01","modified_gmt":"2014-06-12T14:00:01","slug":"its-official-malicious-hackers-have-crappy-password-hygiene-too","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/12\/its-official-malicious-hackers-have-crappy-password-hygiene-too\/","title":{"rendered":"It\u2019s official: Malicious hackers have crappy password hygiene, too"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/arstechnica.com\/security\/2014\/06\/its-official-malicious-hackers-have-crappy-password-hygiene-too\/\"><img data-recalc-dims=\"1\" height=\"480\" width=\"640\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/06\/sewer-640x480.jpg?resize=640%2C480\" alt=\"\" \/><\/a><\/p>\n<p>Given the amount of time malicious hackers spend bypassing other people&#8217;s security, you might think that they pay close attention to locking down their own digital fortresses. It turns out that many of them don&#8217;t, according to a recent blog post documenting some of their sloppiest password hygiene.<\/p>\n<p>The post comes from Anton\u00edn H\u00fd\u017ea, a researcher at antivirus provider Avast. As he was working to analyze a protected PHP shell, he got to wondering how strong the average hacker password was. He then tapped 40,000 samples of backdoors, bots, and shells his company had on hand. Remarkably, 1,255 of the underlying passwords were in plaintext, while another 346 were protected with the easily crackable MD5 hashing algorithm. The resulting 1,601 passwords he had to work with allowed him to see just how poor the bottom four percent of hackers&#8217; passwords were.<\/p>\n<p>The fact that slightly more than three percent of the sample was in the clear was the first sign of just how sloppy some of the criminals Avast tracks are when it comes to password hygiene. These passwords can likely be obtained simply by viewing the scripts of programming languages, or in the case of binary code, by loading them into a hex viewer. As a result, a password with 75 characters, as one hacker set, or the passcode &#8220;lol dont try cracking 12 char+&#8221; (minus the quotes) chosen by another were easily recovered despite the work that went into trying to make them strong. The lack of any one-way hashing algorithm to obscure the passcodes makes one wonder why the authors bothered at all.<\/p>\n<p>This table shows that the average password length was just six characters. Only 52 passwords had a length exceeding 12 characters.<\/p>\n<p>Then there were the passwords themselves. The average length was just six characters, short enough to be brute-force cracked in a matter of minutes in most cases. The passwords also contained a relatively small number of upper-case letters, numbers, and special characters. By sticking mostly to predictable lower-case letters, the hackers significantly reduced the &#8220;key space&#8221; required to carry out brute-force attacks. That plays to the favor of crackers, since small key spaces take much less time to exhaust. By using a more diverse set of characters to create passwords, key spaces become orders of magnitude larger, a dynamic that can quickly make brute-force cracking unfeasible. Based on a statistical analysis of the recovered passwords, H\u00fd\u017ea constructed two character sets that stood the best chance of quickly cracking the remaining undeciphered passcodes. The shorter of the two contained just 28 characters: acdehiklmnorstu01234579!-.@_<\/p>\n<p>Besides a lack of character diversity, password choices were marred by the same cast of horrible words found in just about every cracked database.<\/p>\n<p>&#8220;There [were] a lot of variations of the word pass and root and also hax was used many times, but if I omit one common 4-letter word, the most frequently used word in this dictionary is hack,&#8221; H\u00fd\u017ea wrote. &#8220;It is worth mentioning that many PHP shells I analysed had only default passwords like r57, c99, password or yourpass.&#8221;<\/p>\n<p>Further Reading<\/p>\n<p>How the Bible and YouTube are fueling the next frontier of password cracking<\/p>\n<p>Crackers tap new sources to uncover &#8220;givemelibertyorgivemedeath&#8221; and other phrases.<\/p>\n<p>Ars has spent more than two years chronicling the password follies of end users and Web services alike. While the methodology in H\u00fd\u017ea&#8217;s analysis focused only on the lowliest dregs of criminals&#8217; passwords, it&#8217;s vaguely comforting to know that this group, too, struggles to pick strong passcodes.<\/p>\n<p>via <a href=\"http:\/\/arstechnica.com\/security\/2014\/06\/its-official-malicious-hackers-have-crappy-password-hygiene-too\/\" target=\"_blank\">It\u2019s official: Malicious hackers have crappy password hygiene, too | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Given the amount of time malicious hackers spend bypassing other people&#8217;s security, you might think that they pay close attention [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,10],"tags":[455,797,950],"class_list":["post-5724","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-hacking","tag-passwords","tag-security-2"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1uk","jetpack-related-posts":[{"id":9450,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/20\/are-passwords-immortal-security-now-690\/","url_meta":{"origin":5724,"position":0},"title":"Are Passwords Immortal? &#8211; Security Now 690","author":"NCCT","date":"November 20, 2018","format":false,"excerpt":"https:\/\/youtu.be\/mOSTtkK7vy0 Pwn2Own, the Future of Passwords. -- All the action at last week's Pwn2Own Mobile hacking contest -- The final word on processor mis-design in the Meltdown\/Spectre era -- A workable solution for unsupported Intel firmware upgrades for hostile environments -- A forthcoming Firefox breach alert feature -- The expected\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/mOSTtkK7vy0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":5724,"position":1},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9511,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/01\/22\/millsplain-it-to-me-this-week-in-tech-702\/","url_meta":{"origin":5724,"position":2},"title":"Millsplain It to Me &#8211; This Week in Tech 702","author":"NCCT","date":"January 22, 2019","format":false,"excerpt":"https:\/\/youtu.be\/EtTfFJVBZ6s -Apple's Tim Cook Calls for Data Privacy. -773M Passwords Pwned - How to Find Out If Yours Was. -Amazon Tries to Make Alexa Sound \"Newsy.\" -Google Buys Fossil. -74% of Facebook Users are Clueless. -Facebook's 10 Year Challenge. -Atari Founder Making Alexa Board Games. -Stop Using Windows Phone! -Tokyo\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/EtTfFJVBZ6s\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9405,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/10\/07\/odorless-and-weightless-hackers-this-week-in-tech-687\/","url_meta":{"origin":5724,"position":3},"title":"Odorless and Weightless Hackers &#8211; This Week in Tech 687","author":"NCCT","date":"October 7, 2018","format":false,"excerpt":"https:\/\/youtu.be\/lb4rnqfNdas Chinese Spy Chips, Microsoft Highs and Lows, Pixel 3 Event Predictions, and More! Bloomberg reports that China used tiny chips to spy on Apple, Amazon, and the US government. Apple and Amazon deny it. How do we know who is right? All the news from the Microsoft Surface event,\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/lb4rnqfNdas\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9337,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/05\/06\/this-week-in-tech-665-konnichihuahua\/","url_meta":{"origin":5724,"position":4},"title":"This Week in Tech 665: Konnichihuahua","author":"NCCT","date":"May 6, 2018","format":false,"excerpt":"https:\/\/youtu.be\/DkivlhEOks8 Apple has its best Q2 ever, despite analyst predictions. 20 years of iMac. Cambridge Analytica must give US voter his data. Unroll.me foiled by GDPR. NPR buys PocketCasts. Change your Twitter password. Sprint\/T-Mobile merger. Net Neutrality vote in the Senate May 9th. Cyber Command gets a promotion.","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/DkivlhEOks8\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9655,"url":"https:\/\/nccomputertech.com\/techtalk\/2021\/03\/09\/fuquay-varina-and-holly-springs-computer-repair\/","url_meta":{"origin":5724,"position":5},"title":"Fuquay Varina and Holly Springs Computer Repair","author":"NCCT","date":"March 9, 2021","format":false,"excerpt":"Welcome to our blog. NC Computer Tech services Fuquay Varina, Holly Springs, and surrounding NC areas. We offer prompt, professional, courteous service with over twenty years of experience dealing with residential and small business clients offering them solutions and fixing their computer and network issues at reasonable rates. Our services\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5724"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5724\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}