Study: Weak passwords really do help hackers

Study finds that weak passwords are rife and easy pickings for hackers

Left online for 24 days to see how hackers would attack them, four Linux computers with weak passwords were hit by some 270,000 intrusion attempts -- about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland.

Among the key findings: Weak passwords really do make hackers' jobs much easier. The study also found that improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.

The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems -- and what they do once they gain access.

Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.

Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between Nov. 14 and Dec. 8 at the school.

Cukier was not surprised by what he found. "Root" was the top guess by dictionary scripts in about 12.34% of the attempts, while "admin" was tried 1.63 percent of the time. The word "test" was tried as a username 1.12 percent of the time, while "guest" was tried 0.84 percent of the time, according to the experiment's logs.

The dictionary script software tried 43 percent of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.

Once inside the systems, hackers conducted several typical inquiries, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, downloading a file, installing the downloaded program and then running it.

For IT security workers, the study reinforced the obvious. "Weak passwords are a real issue," Cukier said.

At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.

"That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."

Users can use the title of a favorite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence ... without having to write it down," Cukier said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Todd R. Weiss

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?