Although passwords are amongst the most important lines of defence against nefarious cyber-attackers seeking access to online accounts or corporate networks, password health continues to be poor, leaving corporate systems vulnerable to opportunistic attackers.
That’s one of the key findings according to a new research report released today by Rapid7, titled ‘Good Passwords for Bad Bots’. Attackers are simply taking advantage of weak password management to gain access to corporate systems via two of the most popular protocols used for remote administration, Secure Shell (SSH) and Remote Desktop (RDP).
With the increasing adoption of both remote work and cloud infrastructures, the number of people accessing corporate information systems across the internet has skyrocketed. Many of these systems leverage RDP and SSH for interaction and management. As a result, the ‘walled garden’ approach that once allowed companies to secure their perimeters and force employees to work only on corporate networks has faded, and the number of untrusted networks they use to connect from has jumped.
This new report is part of Rapid7’s series of research papers that analyse the behaviour of attackers in a risk-free environment in order to study them, with the findings shared to help prepare organisations for the types of cyberattacks they can expect to see in the real world.
“What we found in this research in many ways confirmed our assumptions that attackers aren’t “cracking” passwords on the internet and that despite the much-publicised risks and threats, we still collectively stink at password management,” says Tod Beardsley, Director of Research at Rapid7.
For this report, Rapid7 used its network of honeypots (a few hundred of them) to monitor SSH and RDP login attempts. After looking at authentication attempts (as opposed to vulnerability exploit attempts, low-touch scans, etc), Rapid7 found 512,002 unique passwords were attempted to be used by attackers. From here, the researchers turned to the rockyou2021.txt list to determine how many of those passwords existed in this industry-standard list of exposed passwords.
“Prepare to be shocked: nearly all of them were,” adds Beardsley.
“In fact, we found that just 14 of the passwords being brute-forced into our honeypots were NOT part of the rockyou2021.txt file, and we think those were likely errors as they included a string of the honeypots’ IP addresses in them.”
There are approximately 8.4 billion passwords on the rockyou2021.txt file and Rapid7 found less than half a million in its honeypots. Rapid7 says what’s more likely to happen is attackers still rely on the human connection to security infrastructure, which is notoriously one of the weakest links in the chain.
Social engineering tactics, like phishing for passwords and credential stuffing, are still stronger ways for attackers to gain access to passwords than cracking them automatically,” says Erick Galinkin, Principal Artificial Intelligence Researcher at Rapid7.
“What this tells us in practicality is that it’s not terribly hard to avoid this class of attack. In fact, some of the most attacked credentials were ones that should make any internet-literate person facepalm hard.”
Rapid7 found the three most popular usernames for RDP were “administrator,” “user,” and “admin.”, and the three most common passwords were “root,” “admin,” and “nproc.”
“We’re simply not doing well enough with our passwords, and it just doesn’t need to be that way in this day and age,” adds Galinkin.
“It’s not hard to beat this kind of attack and you don’t even have to have a particularly strong password in order to protect yourself; just one with randomness in it, such as a few arbitrary characters.”
Rapid7 advises customers and members of the public to not reuse a password for multiple logins and to avoid default passwords. The company says all of these problems would be covered by the use of password manager services, which create unique, random passwords for users.
“These services are a strong but sadly underutilised way to have good credential hygiene,” concludes Galinkin.