Top 10 Passwords Hackers Love To See

Any good information security professional knows good passwords should be very easy to remember but hard to guess, and that’s because there are constant attempts to crack your passwords. A recent study by the University of Maryland's Clark School of Engineering is one of the first to quantify the near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average—and the non-secure usernames and passwords used that give attackers more chance of success.

The study profiled the behavior of “brute force” hackers, or those who use simple software automation programs to randomly attack large numbers of computers. The reseachers found which user names and passwords are tried most often, and also what the hackers do when they gain access to a computer.

On TV and in film, these types of hackers have been portrayed as people with grudges who target specific institutions and manually try to break into their computers. “But in reality most of these attacks employ automated scripts that indiscriminately seek out thousands of computers at a time, looking for vulnerabilities,” said Michel Cukier an assistant professor of mechanical engineering and affiliate of the Clark School's Center for Risk and Reliability and Institute for Systems Research.

The study’s data provided quantifiable evidence that attacks are happening all the time to computers with Internet connections. The computers in the Maryland study were attacked, on average, 2,244 times a day.

The premise of the study was that weak security was set up on four Linux computers with Internet access, and the researchers then recorded what happened as the individual machines were attacked. They discovered the vast majority of attacks came from relatively unsophisticated hackers using "dictionary scripts," a type of software that runs through lists of common usernames and passwords attempting to break into a computer.

"Root" was the top username guess by dictionary scripts—attempted 12 times as often as the second-place "admin." Successful 'root' access would open the entire computer to the hacker, while 'admin' would grant access to somewhat lesser administrative privileges.

Other top usernames in the hackers' scripts were "test," "guest," "info," "adm," "mysql," "user," "administrator" and "oracle." All should be avoided as usernames.

The researchers found the most common password-guessing ploy was to reenter or try variations of the username. Some 43 percent of all password-guessing attempts simply reentered the username. The username followed by "123" was the second most-tried choice. Other common passwords attempted included "123456," "password," "1234," "12345," "passwd," "123," "test," and "1." These findings support the warnings of security experts that a password should never be identical or even related to its associated username.

Once hackers gain access to a computer, they swiftly act to determine whether it could be of use to them. During the study, the hackers' most common sequence of actions was to check the accessed computer's software configuration, change the password, check the hardware and/or software configuration again, download a file, install the downloaded program, and then run it.

What are the hackers trying to accomplish? The scripts return a list of “most likely prospect” computers to the hacker, who then attempts to access and compromise as many as possible. Often they set up “back doors”—undetected entrances into the computer that they control—so they can create “botnets” for profit or criminal purposes. A botnet is a collection of compromised computers controlled by autonomous software robots answering to a hacker who manipulates the computers remotely. Botnets can act to perpetrate fraud or identity theft, disrupt other networks, and damage computer files, among other things.

The Maryland study provided solid statistical evidence that supports widely held beliefs about username/password vulnerability and post-compromise attacking behavior. Computer users should avoid all of the usernames and passwords identified in the research and choose longer, more difficult and less obvious passwords with combinations of upper and lowercase letters and numbers that are not open to brute-force dictionary attacks.

Most information security professionals forbid shared passwords in their data centers. If a shared password is compromised that may mean than one or two vulnerable computers can lead to the compromise of many more computers within an institution.

What’s a strong password? A strong password should have a minimum of eight characters that include numerals and upper and lower case letters. Or even better, use a “pass-phrase” that is a 8 to 10 word quote or phrase, taking the first one or two letters from every word to make the pass phrase.

Top passwords used to attack

  • Username
  • Username123
  • 123456
  • Password
  • 1234
  • 12345
  • Passwd
  • 123
  • Test
  • 1

Top usernames used to attack

  • Root
  • Admin
  • Test
  • Guest
  • Info
  • Adm
  • Mysql
  • User
  • Administrator
  • Oracle

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.