New releases of bad or weak passwords lists are common[1][2] on the Internet. Those lists compile passwords that are used by people to protect (even if it's not the most appropriate term) their accounts. But passwords are everywhere and also used to control access to devices. Recent attacks like the Mirai[3] botnet which attacked IoT devices are a good example. Once infected, a device will start to search for new potential victims by scanning the Internet for some vulnerable ports (TCP/23, TCP/2323 are good examples), then brute-force the password by testing a list of well-known passwords. Those passwords are somewhere different than users' password but just as vulnerable. While hunting, I found some interesting pieces of C source code that contained lists of passwords used by such infected devices. Keep in mind that a password considered as strong (your know the magic formula: a mix of upper/lower case characters, numbers and special characters) is useless if it is known in the wild! Here is the list of passwords that I found to be used in the wild: "" (empty string!) 00000000 1111 1111111 1234 12345 123456 54321 666666 7ujMko0admin 7ujMko0vizxv 888888 Zte521 admin admin1 admin1234 administrator anko default dreambox fucker guest hi3518 ikwb juantech jvbzd klv123 klv1234 meinsm pass password realtek root service smcadmin supervisor support system tech ubnt user vizxv xc3511 xmhdipc zlxx If you have devices configured with one of those passwords, change it as soon as possible. Even, if your devices are not facing the internet! Feel free to share your list of passwords if you found others, I'm curious. [1] http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Xavier Mertens (@xme) |
Xme 590 Posts ISC Handler Dec 7th 2016 |
Thread locked Subscribe |
Dec 7th 2016 4 years ago |
I'm curious about password strength, as I've been seeing more articles indicating length is more important than a mix of case, numbers and symbols. https://uit.stanford.edu/service/accounts/passwords/quickguide is a good example, although my gut feeling keeps telling me that even at 20 characters we should have a mix of characteristics. Any thoughts on password length being the driving consideration to password strength?
|
Steve 5 Posts |
Quote |
Dec 7th 2016 4 years ago |
Most of the words & phrases on this list I recognize or can work out, but this one is new to me: vizxv
Does anyone know the origins of this as a password? |
TravisMcW 3 Posts |
Quote |
Dec 7th 2016 4 years ago |
Agree. Eight (8) characters is highly insufficient for any use. And 20 character is a good level. Any average person should be able to recall a passphrase at that level (I was part of scientific research by NASA to test that theory-and I had to change to 20 or 22 characters every few days!). I think the typical psuedo-random-mix method (aA00!~) is also problematic, especially at 20 characters. There are better methods (Schneier's pseudo-abbreviation, XKCD random words, etc.) that are likely strong and easier to remember.
|
Brett 18 Posts |
Quote |
Dec 7th 2016 4 years ago |
forgot to comment on Stanford's guidance. It is not good. I would guess that they are aiming at longer-is-better, but longer needs to be simpler. I'd have to run some math on this premise (see grc.com for excellent quantitative password analyis). As I said in previous post, 20 mixed characters is not mentally challenging.
By Schneier's method Long complex passwords include characters, numbers, letters and entropy in order to get enough strength Lcpic,n,l&eio2ges [17] XKCD (which I enhance with numbers & characters) of same phrase L0ng, le77ers & entropy [23] (i have developed a couple methods that are equally as strong) both methods above are strong as well as not so mentally challenging as typical security orthdoxy would dictate. |
Brett 18 Posts |
Quote |
Dec 7th 2016 4 years ago |
%Season%%yyyy% so Winter2016 etc.
|
Anonymous |
Quote |
Dec 7th 2016 4 years ago |
I've made myself a little password test utility. It basically looks at the characters it's seen so far and makes an estimate as to how surprising the next character is. Expresses that surprise as a number of bits and adds that to a running total.
So another letter after nineteen of them isn't that surprising, BUT, a completely random ascii character is about 6.5bits per character. That's about 52bits for eight completely random printable ascii characters. If you use twenty characters matching this strength means getting just 2.6bits per character ... that's basically a single dice throw. So even if you lose a lot of bits because you're using words it will be quite difficult to get that low. I would suggest that it's a good idea to add a symbol or two in your password. I would guess that a symbol in the middle of letters is likely to increase the "surprise" a lot. If I'm measuring it in bits I'd be looking at one symbol giving you perhaps 10bits of extra entropy just because it's impossible to know exactly where it is. But it's not _required_ because 20 letters is secure against any random attack and probably secure against a targeted attack (unless you use "internationalisation" as your password) It's always possible to choose a bad password, whatever the rules. |
UnknownNick 11 Posts |
Quote |
Dec 7th 2016 4 years ago |
According to google, it may be a default root password for a dahua dvr
|
Ideaphore 2 Posts |
Quote |
Dec 7th 2016 4 years ago |
Quoting TravisMcW:Most of the words & phrases on this list I recognize or can work out, but this one is new to me: vizxv According to Google it may be associated with a Dahua device ( DVR/Camera ? ), as is 7ujMko0. |
Ideaphore 2 Posts |
Quote |
Dec 8th 2016 4 years ago |
Many passwords on the list are default passwords for gadgets published on internet, like https://gist.github.com/gabonator/74cdd6ab4f733ff047356198c781f27d
|
Anonymous |
Quote |
Dec 8th 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!