If you run an ssh server (especially if you still run it on the default port), you've no doubt had plenty of folks scan your machine and do password guessing attacks against it.  BTW, you'll never get in mine that way, I only allow public/private key authentication, but that is beside the point here.  I've done a couple of other reports analyzing passwords, and I really like pipal by Robin Wood for much of the analysis (you can grab it from here).  I've been running a kippo ssh honeypot for the day job for about 2 years and I've done a couple of reports on the password guesses for the ThreatTraq webcast, but then I discovered that in addition to firewall logs and the 404 logs, we also collect kippo logs here at the SANS Internet Storm Center.  Ooh, more data!!  If you'd like contribute, please grab https://isc.sans.edu/kipposcript.pl.  So, without further ado, here is what I've found in our kippo data (as of about 15 April 2013).  I should note here, though, that these are the guesses the bad guys are making.  They've developed their lists most likely based on what has worked for someone at some point, so they will be somewhat different from what you find in analyzing passwords from breaches like my analysis of last year's Yahoo breach.

The Basics

Total entries = 15415314
Total unique entries = 46840


The Results

Top 10 passwords
123456 = 167854 (1.09%)
password = 113640 (0.74%)
cacutza = 99492 (0.65%)
__--_-__-_ = 79153 (0.51%)
123 = 63557 (0.41%)
root = 61560 (0.4%)
1234 = 58103 (0.38%)
123456789 = 57270 (0.37%)
12345 = 53445 (0.35%)
test = 52231 (0.34%)

Okay, the first thing to note, is that the default password for kippo is 123456, so that may skew the above a bit.  The one I personally find most interesting is the 4th one, '__--_-__-_'.

Top 10 base words
password = 295354 (1.92%)
test = 192825 (1.25%)
pass = 127086 (0.82%)
root = 121704 (0.79%)
cacutza = 99492 (0.65%)
temp = 97145 (0.63%)
[email protected] = 92650 (0.6%)
p4ssword = 88344 (0.57%)
changeme = 74842 (0.49%)
p4ssw0rd = 74329 (0.48%)

So, some variation on password (with or without substitutions).

Password length (count ordered)
6 = 2708563 (17.57%)
8 = 2275062 (14.76%)
7 = 1550776 (10.06%)
9 = 1394644 (9.05%)
10 = 1234997 (8.01%)
4 = 1143617 (7.42%)
5 = 1025693 (6.65%)
12 = 766462 (4.97%)
11 = 647696 (4.2%)
3 = 437702 (2.84%)

The password guesses varied in length from 1 (do people actually allow 1 character passwords?) to 70 characters in length.  The longest ones being shown below

56 = 4504 (0.03%)
57 = 180 (0.0%)
58 = 465 (0.0%)
60 = 17 (0.0%)
62 = 800 (0.01%)
63 = 69 (0.0%)
64 = 369 (0.0%)
70 = 9 (0.0%)
71 = 908 (0.01%)

The mix

One to six characters = 5463941 (35.44%)
One to eight characters = 9289779 (60.26%)
More than eight characters = 6125535 (39.74%)

Only lowercase alpha = 5126974 (33.26%)
Only uppercase alpha = 140773 (0.91%)
Only alpha = 5267747 (34.17%)
Only numeric = 1906165 (12.37%)

First capital last symbol = 135964 (0.88%)
First capital last number = 958843 (6.22%)

One to six characters = 5463941 (35.44%)
One to eight characters = 9289779 (60.26%)
More than eight characters = 6125535 (39.74%)

Only lowercase alpha = 5126974 (33.26%)
Only uppercase alpha = 140773 (0.91%)
Only alpha = 5267747 (34.17%)
Only numeric = 1906165 (12.37%)

First capital last symbol = 135964 (0.88%)
First capital last number = 958843 (6.22%)

Last digit
3 = 1621502 (10.52%)
1 = 1394507 (9.05%)
0 = 620126 (4.02%)
4 = 593100 (3.85%)
6 = 548727 (3.56%)
2 = 478758 (3.11%)
5 = 420699 (2.73%)
9 = 407320 (2.64%)
8 = 318715 (2.07%)
7 = 303304 (1.97%)

Last 3 digits (Top 10)
123 = 1156095 (7.5%)
456 = 380369 (2.47%)
234 = 340074 (2.21%)
345 = 234638 (1.52%)
321 = 212258 (1.38%)
789 = 192424 (1.25%)
678 = 166984 (1.08%)
567 = 154030 (1.0%)
001 = 146204 (0.95%)
111 = 91160 (0.59%)

Character sets
loweralpha: 5126974 (33.26%)
loweralphanum: 4803721 (31.16%)
numeric: 1906165 (12.37%)
loweralphaspecialnum: 803707 (5.21%)
mixedalphanum: 768137 (4.98%)
mixedalphaspecialnum: 641067 (4.16%)
loweralphaspecial: 344881 (2.24%)
upperalphanum: 181283 (1.18%)
mixedalpha: 151523 (0.98%)
special: 149786 (0.97%)
upperalpha: 140773 (0.91%)
upperalphaspecialnum: 133340 (0.86%)
mixedalphaspecial: 91536 (0.59%)
upperalphaspecial: 81044 (0.53%)
specialnum: 66165 (0.43%)

Character set ordering
allstring: 5419270 (35.16%)
othermask: 3833967 (24.87%)
stringdigit: 2622232 (17.01%)
alldigit: 1906165 (12.37%)
stringdigitstring: 478523 (3.1%)
digitstring: 446101 (2.89%)
stringspecial: 184687 (1.2%)
allspecial: 149786 (0.97%)
stringspecialstring: 117368 (0.76%)
digitstringdigit: 114141 (0.74%)
stringspecialdigit: 101918 (0.66%)
specialstring: 25205 (0.16%)
specialstringspecial: 15951 (0.1%)


Some final thoughts

Okay, there is some interesting stuff there and if you are interested in the pieces of the standard pipal report that I didn't include there, I've put the full report up on my handler page.  One of the other thing I took a look at was how many in the mix satisfy the standard definition of a "complex" password [lower case, upper case, digits, special characters] (choose 3) and length >= 8.  620413 (4.02%) of the passwords satisfy this definition of complex.  However, when you look at unique passwords, only 1286 (2.75% of the 46840 unique ones) are complex.  So, at least one takeaway is that the more complex you make your crucial passwords the less likely you are to fall victim to this type of password guessing attack.  Of course, 173 of those 1286 were some variation on 'password' with subsitutions or digits and/or special characters tacked on the end.  So, what do you think?  Is there some other aspect of the passwords that I should have looked at?  Let us know in the comment section below or via our contact form.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

The opinions expressed here are strictly those of the author and do not necessarily represent those of SANS, the Internet Storm Center, the author's spouse, kids, or pets (except maybe the ornery cat).

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Hackers are finding it pays to call ahead before sending malware-laden email.
The U.S. Senate has, by a wide margin, supported a bill allowing an Internet sales tax, but the legislation appears to be a tougher sell to the public.
Microsoft is rolling out changes to SkyDrive to enhance management of photos in the cloud storage service, including more efficient viewing and uploading of files.
Twitter has acquired Lucky Sort, a data analytics company, in a move that could give the social network deeper insights into its users' tweets and how to best place advertisements on its site.

If you've ever been nagged about the weakness of your password while changing account credentials on Google, Facebook, or any number of other sites, you may have wondered: do these things actually make people choose stronger passcodes? A team of scientists has concluded that the meters do work—or at least they have the potential to do so, assuming they're set up correctly.

The researchers—from the University of California at Berkeley, the University of British Columbia in Vancouver, and Microsoft—are among the first to test the effect that the ubiquitous password meters have on real users choosing passwords. They found that meters grading the strength of passwords had a measurable impact in helping users pick stronger passcodes that weren't used on other accounts. But the group also discovered these new, stronger passwords weren't any harder for users to remember than weaker ones.

The scientists were quick to point out caveats to their findings. For one, the meters provided little benefit when users were choosing passwords while setting up a new account, as opposed to changing passwords for an already established account. And the meters provided no improvement for accounts people considered unimportant.

Read 13 remaining paragraphs | Comments

Invision Power Board IP.Board Administrator Account Security Bypass Vulnerability
Microsoft today said it has increased the head count for its June developers conference, and will sell the extra tickets Wednesday.
The U.S. Department of Health and Human Services wants health tech developers in Silicon Valley to make greater use of its data to help make advances in the field and aid entrepreneurs in the region.

Mobily, a Saudi Arabian telecommunications company with 4.8 million subscribers, is working on a way to intercept encrypted data sent over the Internet by Twitter, Viber, and other mobile apps, a security researcher said Monday.

Moxie Marlinspike, the pseudonymous cryptographer who has identified several security bugs in the secure sockets layer protocol used to protect website transactions, said he learned of the project after receiving an e-mail from company officials. Carrying the subject line "Solution for monitoring encrypted data on telecom," it said the project was required by "the regulator." Marlinspike believed this meant the government of Saudi Arabia. In follow-up e-mails, the Mobily officials said they were looking for ways to bypass the protections built into the SSL and Transport Layer Security protocols so telecom workers could monitor messages spreading terrorism.

"One of the design documents that they volunteered specifically called out compelling a [certificate authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception," Marlinspike wrote in a blog post. "A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities."

Read 5 remaining paragraphs | Comments

File Lite 3.3 & 3.5 PRO iOS - Multiple Web Vulnerabilities
SimpleTransfer 2.2.1 - Command Injection Vulnerabilities
Size (and mobility) matters. As desktop PCs lose ground to tablets and smartphones, and the cloud becomes a more mainstream means for software deployment, desktop applications are being elbowed aside by mobile apps and Web services, resulting in a significant shift in the way software is created.
Hadoop is nearly synonymous with the analysis of big data. The Hortonworks Data Platform on Windows is significant as it means that companies lacking Linux expertise will finally be able to benefit from the big data analysis platform, which has been out of the reach of Windows shops.
Mobile security vendor Lookout plans to start flagging as adware mobile apps that use aggressive ad networks if they don't obtain explicit consent from users before engaging in behavior that potentially invades privacy.
Further pursuing its strategy to help enterprises move workloads to hosted environments, Hewlett-Packard has updated a number of its IT management tools with more capabilities to work with public and private clouds.
Samsung Electronics plans to use advanced antennas to boost the bandwidth in mobile networks by what it said was "several tens of Gbps per base station", but the improved bandwidth won't be commercially available until 2020.
As Intel mulls a plan to expand its contract-manufacturing operations, the company has lost ground as the world's top semiconductor company to chip suppliers benefitting from the success of mobile devices, according to a study by IC Insights released on Monday.
Microsoft on Friday called some media coverage of its plans to update Windows 8 sensationalist and an effort to drive website page views.
The New York State attorney general has sent letters to the chief executives of Apple, Microsoft, Google and Samsung asking them for help in combating cellphone theft and hinting he may pursue legal action if they don't cooperate.
Android's new boss hinted of an eventual merger of Chrome and Android but said the two will remain separate "for the short term," in an interview posted prior to Google I/O's opening keynote on Wednesday.
Google said it is increasing the amount of free storage for users of its Google Drive cloud storage service to 15 GB.
[ MDVSA-2013:164 ] mesa
[SECURITY] [DSA 2667-1] mysql-5.5 security update
[SECURITY] [DSA 2666-1] xen security update
[RT-SA-2013-001] Advisory: Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution
Unknown intruders gained access to the registrar's customer database, including customers' credit card details. Name.com is thought to manage around 500,000 domains

Oracle Java SE CVE-2013-2436 Security Bypass Vulnerability
Sometime soon, Microsoft will tell Windows 8 users whether they will have to pay for the upgrade code-named "Blue," and if so, how much. Analysts don't expect it to charge anything for the update.
Networks could use far less energy by 2020 even though they'll be carrying much more traffic, an industry group says.
Kim Dotcom has ordered the removal from his Mega file-storage service design plans for a controversial one-bullet plastic gun.
Yahoo has acquired a mobile gaming company, Loki Studios, taking its total acquisitions this month to four.
A plan proposed by Carl Icahn and Southeastern Asset Management last week as an alternative to Michael Dell's proposal to take his namesake company private would leave it short of cash, Dell's board warned the bidders on Monday.
NTT DoCoMo, Japan's largest mobile carrier, will use location data from its 61.5 million subscriber devices to build a platform that monitors traffic conditions across the country.
Sony will soon launch a flexible e-reader device that is less than 7mm thick and weighs 358 grams, targeted for use in university classrooms.
Oracle Java SE CVE-2013-1488 Remote Code Execution Vulnerability
Cisco Network Admission Control Manager CVE-2013-1177 Multiple SQL Injection Vulnerabilities
Browsers are being hijacked by extensions delivered with trojan droppers that are using victim's Facebook accounts to like and comment on behalf of criminals with

Oracle Java SE CVE-2013-2394 Remote Code Execution Vulnerability
Oracle Java SE CVE-2013-2428 Remote Code Execution Vulnerability
Oracle Java SE CVE-2013-2434 Remote Code Execution Vulnerability
It is a lot of work to set up policies; it takes trial and some error, too. But the payoffs are huge.
Sometime soon, Microsoft will tell Windows 8 users whether they will have to pay for the upgrade code-named "Blue," and if so, how much. Analysts don't expect it to charge anything for the update.
Oracle Java SE CVE-2013-1569 Stack Buffer Overflow Vulnerability
Oracle Java SE CVE-2013-2383 Remote Code Execution Vulnerability
Microsoft Remote Desktop ActiveX Control CVE-2013-1296 Remote Code Execution Vulnerability
IBM Sterling External Authentication Server Local Arbitrary Command Execution Vulnerability
Oracle Java SE CVE-2013-2384 Remote Code Execution Vulnerability

Posted by InfoSec News on May 13


By Ivanka Barzashka
RUSI Journal, Apr 2013, Vol. 158, No. 2

When news of Stuxnet first emerged, many thought that it had caused a major
setback to Iran’s uranium-enrichment programme. Ivanka Barzashka argues instead
that while Stuxnet may have had the potential to seriously damage Iranian
centrifuges, evidence of the worm’s impact is circumstantial and...

Posted by InfoSec News on May 13


May 8, 2013

COLUMBIA -- The tab to fix the largest hacking at a U.S. state agency
keeps growing.

South Carolina needs to spend nearly $15 million next year to centralize
computer security at state agencies – and spend $7.3 million a year
thereafter on that security, a consultant told state leaders Wednesday.

The work would require...

Posted by InfoSec News on May 13


The New York Times
May 10, 2013

A shudder went through Wall Street on Friday after the revelation that
Bloomberg News reporters had extracted subscribers’ private information
through the company’s ubiquitous data terminals to break news.

The company confirmed that reporters at Bloomberg News, the journalism...

Posted by InfoSec News on May 13


The Wall Street Journal
May 12, 2013

When hackers broke into computer systems at Wyndham Worldwide Corp. and
several of its hotels, they allegedly stole payment-card numbers for
hundreds of thousands of consumer accounts.

They also sparked a high-stakes legal battle over whether a federal
agency can use its consumer-protection powers to police...

Posted by InfoSec News on May 13


By A.E. James
Times of Oman
May 12, 2013

Muscat: Bank Muscat on Sunday said it is examining all options to recover $39
million it lost in a major fraud unveiled by US authorities last week.

"Bank Muscat is aware from press reports that a number of arrests in different
jurisdictions have taken place in relation to the prepaid debit card fraud
incident which we disclosed on February 25...
Oracle Sun Products Suite CVE-2013-1507 Local Ssecurity Vulnerability
Oracle Sun Products Suite CVE-2013-0405 Remote Security Vulnerability
Oracle Sun Products Suite CVE-2013-1494 Local Security Vulnerability
Internet Storm Center Infocon Status