List of common passwords accounts for nearly all cyberattacks

Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.

Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7’s honeypots, are sticking to a common playbook.

The overlap in all the attacks also suggest attackers are taking the easy road, says Tod Beardsley, director of research at Rapid7.

“We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet,” he says. “Therefore, it’s very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls.”

Every year, security firms present research suggesting users are continuing to pick bad passwords. In October 2021, for example, a cybersecurity researcher in Tel Aviv, Israel, found he could recover the passwords to 70% of the wireless networks as he pedaled past, often because they used a cellphone number as the password. In 2019, an evaluation of passwords leaked to the Internet found that the top password was “123456,” followed by “123456789” and “qwerty,” although it’s unclear whether those leaks included old or rarely used accounts without password policies.

In this case, however, Rapid7 researchers focused on the common passwords used by attackers rather than defenders, so the analysis applies to attackers’ guesses in brute-force attacks. Such attacks have risen dramatically during the COVID-19 pandemic, with password-guessing becoming the most popular method of attack in 2021, according to an analysis by cybersecurity firm ESET.

“With the increasing adoption of both remote work and cloud infrastructures, the number of people accessing corporate information systems across the internet has skyrocketed,” Rapid7 stated in its report. “As with so many things in security, the addition of convenience and complexity has made the task of protecting these systems far more challenging.”

To read the complete article, visit Dark Reading.