How Weak Passwords Really Do Help Hackers

Left online for 24 days to see how hackers would attack them, four Linux computers with weak passwords were hit by some 270,000 intrusion attempts -- about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland.

Among the key findings: Weak passwords really do make hackers' jobs much easier. The study also found that improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.

The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems -- and what they do once they gain access.

The researchers also discovered which usernames and passwords are tried most often, and what hackers do when they gain access to a computer.

On TV and in film, these kinds of hackers have been portrayed as people with grudges who target specific institutions and manually try to break into their computers. But in reality, Cukier said, "most of these attacks employ automated scripts that indiscriminately seek out thousands of computers at a time, looking for vulnerabilities."

"Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections," Cukier said. "The computers in our study were attacked, on average, 2,244 times a day."

Cukier and two of his graduate students, Daniel Ramsbrock and Robin Berthier, set up weak security on four Linux computers with Internet access, then recorded what happened as the individual machines were attacked. They discovered the vast majority of attacks came from relatively unsophisticated hackers using "dictionary scripts," a type of software that runs through lists of common usernames and passwords attempting to break into a computer.

"Root" was the top username guess by dictionary scripts—attempted 12 times as often as the second-place "admin." Successful 'root' access would open the entire computer to the hacker, while 'admin' would grant access to somewhat lesser administrative privileges. Other top usernames in the hackers' scripts were "test," "guest," "info," "adm," "mysql," "user," "administrator" and "oracle." All should be avoided as usernames, Cukier advises.

The researchers found the most common password-guessing ploy was to reenter or try variations of the username. Some 43 percent of all password-guessing attempts simply reentered the username. The username followed by "123" was the second most-tried choice. Other common passwords attempted included "123456," "password," "1234," "12345," "passwd," "123," "test," and "1." These findings support the warnings of security experts that a password should never be identical or even related to its associated username, Cukier said.

Once hackers gain access to a computer, they swiftly act to determine whether it could be of use to them. During the study, the hackers' most common sequence of actions was to check the accessed computer's software configuration, change the password, check the hardware and/or software configuration again, download a file, install the downloaded program, and then run it.

What are the hackers trying to accomplish? "The scripts return a list of 'most likely prospect' computers to the hacker, who then attempts to access and compromise as many as possible," Cukier said. "Often they set up 'back doors'—undetected entrances into the computer that they control—so they can create 'botnets,' for profit or disreputable purposes." A botnet is a collection of compromised computers that are controlled by autonomous software robots answering to a hacker who manipulates the computers remotely. Botnets can act to perpetrate fraud or identity theft, disrupt other networks, and damage computer files, among other things.