{"id":5724,"date":"2014-06-12T10:00:01","date_gmt":"2014-06-12T14:00:01","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5724"},"modified":"2014-06-12T10:00:01","modified_gmt":"2014-06-12T14:00:01","slug":"its-official-malicious-hackers-have-crappy-password-hygiene-too","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/12\/its-official-malicious-hackers-have-crappy-password-hygiene-too\/","title":{"rendered":"It\u2019s official: Malicious hackers have crappy password hygiene, too"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Given the amount of time malicious hackers spend bypassing other people’s security, you might think that they pay close attention to locking down their own digital fortresses. It turns out that many of them don’t, according to a recent blog post documenting some of their sloppiest password hygiene.<\/p>\n

The post comes from Anton\u00edn H\u00fd\u017ea, a researcher at antivirus provider Avast. As he was working to analyze a protected PHP shell, he got to wondering how strong the average hacker password was. He then tapped 40,000 samples of backdoors, bots, and shells his company had on hand. Remarkably, 1,255 of the underlying passwords were in plaintext, while another 346 were protected with the easily crackable MD5 hashing algorithm. The resulting 1,601 passwords he had to work with allowed him to see just how poor the bottom four percent of hackers’ passwords were.<\/p>\n

The fact that slightly more than three percent of the sample was in the clear was the first sign of just how sloppy some of the criminals Avast tracks are when it comes to password hygiene. These passwords can likely be obtained simply by viewing the scripts of programming languages, or in the case of binary code, by loading them into a hex viewer. As a result, a password with 75 characters, as one hacker set, or the passcode “lol dont try cracking 12 char+” (minus the quotes) chosen by another were easily recovered despite the work that went into trying to make them strong. The lack of any one-way hashing algorithm to obscure the passcodes makes one wonder why the authors bothered at all.<\/p>\n

This table shows that the average password length was just six characters. Only 52 passwords had a length exceeding 12 characters.<\/p>\n

Then there were the passwords themselves. The average length was just six characters, short enough to be brute-force cracked in a matter of minutes in most cases. The passwords also contained a relatively small number of upper-case letters, numbers, and special characters. By sticking mostly to predictable lower-case letters, the hackers significantly reduced the “key space” required to carry out brute-force attacks. That plays to the favor of crackers, since small key spaces take much less time to exhaust. By using a more diverse set of characters to create passwords, key spaces become orders of magnitude larger, a dynamic that can quickly make brute-force cracking unfeasible. Based on a statistical analysis of the recovered passwords, H\u00fd\u017ea constructed two character sets that stood the best chance of quickly cracking the remaining undeciphered passcodes. The shorter of the two contained just 28 characters: acdehiklmnorstu01234579!-.@_<\/p>\n

Besides a lack of character diversity, password choices were marred by the same cast of horrible words found in just about every cracked database.<\/p>\n

“There [were] a lot of variations of the word pass and root and also hax was used many times, but if I omit one common 4-letter word, the most frequently used word in this dictionary is hack,” H\u00fd\u017ea wrote. “It is worth mentioning that many PHP shells I analysed had only default passwords like r57, c99, password or yourpass.”<\/p>\n

Further Reading<\/p>\n

How the Bible and YouTube are fueling the next frontier of password cracking<\/p>\n

Crackers tap new sources to uncover “givemelibertyorgivemedeath” and other phrases.<\/p>\n

Ars has spent more than two years chronicling the password follies of end users and Web services alike. While the methodology in H\u00fd\u017ea’s analysis focused only on the lowliest dregs of criminals’ passwords, it’s vaguely comforting to know that this group, too, struggles to pick strong passcodes.<\/p>\n

via It\u2019s official: Malicious hackers have crappy password hygiene, too | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Given the amount of time malicious hackers spend bypassing other people’s security, you might think that they pay close attention […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,10],"tags":[455,797,950],"class_list":["post-5724","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-hacking","tag-passwords","tag-security-2"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1uk","jetpack-related-posts":[{"id":9031,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/09\/24\/heres-what-you-should-know-and-do-about-the-yahoo-breach\/","url_meta":{"origin":5724,"position":0},"title":"Here’s what you should know, and do, about the Yahoo breach","author":"NCCT","date":"September 24, 2016","format":false,"excerpt":"By Lucian Constantin | IDG News Service | PCWorld Yahoo\u2019s announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale\u2014it\u2019s the largest data breach ever\u2014and the potential security implications for users. That\u2019s because Yahoo, unlike MySpace, LinkedIn and other online services that\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3166,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/12\/password-thieves-target-blogs-content-management-sites\/","url_meta":{"origin":5724,"position":1},"title":"Password thieves target blogs, content management sites","author":"NCCT","date":"August 12, 2013","format":false,"excerpt":"Brute force attacks to pry login credentials from content management sites like blogs have been growing as more data robbers use a short-term gain for a bigger payoff later on. Such sites are attractive targets because they tend to be less secure than other environments\u2014such as financial services\u2014and since they're\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6128,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/05\/mozilla-warns-of-leaky-developer-network-database\/","url_meta":{"origin":5724,"position":2},"title":"Mozilla warns of leaky developer network database","author":"NCCT","date":"August 5, 2014","format":false,"excerpt":"Mozilla\u2019s website for developers leaked email addresses and encrypted passwords of registered users for about a month due to a database error, the organization said Friday. Email addresses for 76,000 Mozilla Development Network (MDN) users were exposed, along with around 4,000 encrypted passwords, wrote Stormy Peters, director of development relations,\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2971,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/07\/17\/tumblr-tells-users-to-change-passwords-patches-security-hole-in-ios-apps\/","url_meta":{"origin":5724,"position":3},"title":"Tumblr tells users to change passwords, patches security hole in iOS apps","author":"NCCT","date":"July 17, 2013","format":false,"excerpt":"Tumblr, the blogging site recently acquired by Yahoo, has released a security update for its iPhone and iPad apps that it said addresses an issue that allowed passwords to be compromised in certain circumstances. Users of the apps have been advised to update their passwords on Tumblr as there is\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5812,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/20\/hackers-target-dominos-pizza-demand-40000-ransom-for-customer-data\/","url_meta":{"origin":5724,"position":4},"title":"Hackers target Domino’s Pizza, demand $40,000 ransom for customer data","author":"NCCT","date":"June 20, 2014","format":false,"excerpt":"Hackers have targeted Domino's Pizza servers and claim to have downloaded details of over 650,000 customers. The group, calling itself Rex Mundi, has said that unless the company pays up \u20ac30,000 EUR (around $40,600 USD \/ \u00a324,000 GBP) by today, it will publish the full database online. The database includes\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8935,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/05\/31\/myspace-hack-puts-at-least-360-million-users-at-risk\/","url_meta":{"origin":5724,"position":5},"title":"Myspace hack puts at least 360 million users at risk","author":"NCCT","date":"May 31, 2016","format":false,"excerpt":"By Shawn Knight | TechSpot Time Inc., which recently acquired pioneering social network Myspace, has confirmed reports that the site was hacked. Like the Tumblr breach that we reported on yesterday, the compromised Myspace data dates back several years. Time said earlier today that it first became aware shortly before\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5724"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5724\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}