Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Hackers rarely brute-force passwords longer than 7 characters

Now Reading
Hackers rarely brute-force passwords longer than 7 characters

Microsoft cybersecurity specialist shared some interesting statistics: most cybercriminals prefer to brute-force passwords no longer than 7 characters, and only a small percentage of attacks target long passwords containing special characters.

The researcher collected statistics for this analysis from numerous honeypot servers, which he manages on duty, studying the trends among attackers:

I analyzed the credentials used in over 25,000,000 brute-force attacks on SSH. In 77% of cases, brute force was directed to passwords from 1 to 7 characters. A password longer than 10 characters was encountered only in 6% of cases.Ross Bevington, a Microsoft expert, told the company.

The expert also writes that only in 7% of cases at least one special character was used during brute force attacks, while in 39% of cases at least one digit was used. At the same time, none of the brute-force attempts took into account passwords, which may contain spaces.

SSH Passwords

The results of this study demonstrate that longer passwords containing special characters are more likely to be protected from the vast majority of such attacks. Of course, unless the credentials are otherwise “leaked” to the public and are not included in special dictionaries and malicious lists. Such leaks are usually related to spyware activity – so be careful and use anti-spyware programs for better security.

Bevington notes that based on data from 14 billion brute-force attacks on Microsoft honeypot servers, attacks on RDP have tripled since 2020, by 325%. In addition, attacks on Network printing services, as well as Docker and Kubernetes, increased by 110% by 178%.

The statistics for SSH and VNC are just as bad, they just haven’t changed much since last year. By default, solutions like RDP are disabled, but if you choose to enable them, don’t dump everything directly onto the internet. Remember that attackers will brute-force any remote administration protocol. If you need Internet access, use strong passwords, managed identities, and multi-factor authentication.the expert says.

Let me remind you that I also wrote that Researchers taught the algorithm to guess PIN-codes from bank cards.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response