Cyber criminals aren’t even trying to guess user passwords anymore, according to a new analysis that watched the activities of credential thieves and found that they are overwhelmingly relying on publicly available lists of common passwords.

Entitled Good Passwords for Bad Bots, the research by security firm Rapid7 saw its security team cross-checking attempted logins to its network of honeypots – specially configured decoys that are designed to attract cyber criminals to study their attack techniques – against freely available lists of usernames and passwords.

Despite anecdotal reports of cyber criminals trying to guess individual victims’ passwords, the researchers found that 99.97 per cent of the passwords they attempted to use for the honeypots were found on a widely available password list called rockyou2021.txt – a 92 gigabyte compilation of 8.4 billion passwords taken from other data breaches and word lists.

After watching cyber criminals trying to access the honeypot’s fake SSH and RDP remote-access servers, Rapid7 researchers identified 512,002 unique passwords that were used – including time-honoured embarrassments like ‘123456’ and ‘password’ – and just 14 of them had not already been included on the list.

“We think those were likely errors as they included a string of the honeypots’ IP addresses in them,” Rapid7 principal security research manager Tod Beardsley explained.

“Unless they are signs of some dastardly attack that we haven’t seen before, they are likely insignificant.”

The findings mean that “online credential attackers are not generating truly random passwords, but are instead working entirely off of lists of guessable passwords,” the report’s authors note.

System administrators should use tools like Defaultinator to see which network devices are still using default passwords, the report advises in noting that many of the most commonly tried passwords were defaults like ‘Administrator’, ‘root’, and ‘admin’

Just because cyber criminals aren’t trying to guess users’ passwords doesn’t mean they aren’t looking for them in other ways, however.

“What’s more likely to happen is that attackers still rely on the human connection to security infrastructure,” Beardsley wrote, “which is notoriously one of the weakest links in the chain.”

“Social engineering like phishing for passwords, and credential stuffing are still stronger ways for attackers to gain access to passwords than cracking them automatically.”

Building a security culture

While the new research confirms that randomly-generated secure passwords do provide robust security, convincing employees to play along remains a major challenge in a real world where most users remain stubbornly attached to passwords that most definitely are on the rockyou2021.txt list.

Although many companies run regular training and testing to help employees keep spotting phishing emails, many of those employees nonetheless continue unsafe password practices that could be easily remedied.

Around 71 per cent of Australian respondents to one LogMeIn survey, for example, were found to be using the same passwords across a range of websites – with more than half saying they rely on remembering passwords using information that is easily guessed.

Earlier this year, a Cisco survey of Australian consumers found two-thirds of respondents said that making it easier and faster to log in is important to them – leading 57 per cent to use the same password for multiple online accounts.

Fully 51 per cent said they forget or reset their passwords once or twice per week on average – suggesting that their strategies for remembering passwords simply aren’t working.

To ensure that their employees stop using passwords they’ve designed to be easy to remember, Rapid7 recommends businesses use any of a range of commonly available password generators to “[encourage] a corporate culture of randomly-generated, strong passwords” that, its research shows, cyber criminals aren’t even trying to figure out.

Users aren’t the only password-related headache for cyber security managers, however: the problem is set to be compounded further as businesses embrace robotic process administration (RPA), in which software ‘bots’ are being written to perform routine tasks that often require them to log onto critical business systems.

To ensure that the bots continue operating, many companies are entering system passwords into their RPA scripts – which, CyberArk senior director for consulting services and incident response Bryan Murphy warns, is making them a new target for resourceful cyber criminals.

“Humans aren’t the only target for attackers who seek to compromise credentials as their easiest pathway to an organisation’s critical data and assets,” Murphy explained.

“Humans remain a lucrative and relatively easy target, but software bots exist in huge numbers across the average global organisation and have become an enticing target.

“Attackers specifically go after bots because they know that in many cases their passwords are not being rotated,” he continued.

“They also know that bots are generally over-permissioned, with more access than they need and aren’t monitored as human identities are for anomalies.

“A compromise here becomes a ‘game over’ situation for the targeted organisation.”