It’s official: Malicious hackers have crappy password hygiene, too

June 10, 2014 – 4:34 PM

Given the amount of time malicious hackers spend bypassing other people’s security, you might think that they pay close attention to locking down their own digital fortresses. It turns out that many of them don’t, according to a recent blog post documenting some of their sloppiest password hygiene.

The post comes from Antonín Hýža, a researcher at antivirus provider Avast. As he was working to analyze a protected PHP shell, he got to wondering how strong the average hacker password was. He then tapped 40,000 samples of backdoors, bots, and shells his company had on hand. Remarkably, 1,255 of the underlying passwords were in plaintext, while another 346 were protected with the easily crackable MD5 hashing algorithm. The resulting 1,601 passwords he had to work with allowed him to see just how poor the bottom four percent of hackers’ passwords were.

The fact that slightly more than three percent of the sample was in the clear was the first sign of just how sloppy some of the criminals Avast tracks are when it comes to password hygiene. These passwords can likely be obtained simply by viewing the scripts of programming languages, or in the case of binary code, by loading them into a hex viewer. As a result, a password with 75 characters, as one hacker set, or the passcode “lol dont try cracking 12 char+” (minus the quotes) chosen by another were easily recovered despite the work that went into trying to make them strong. The lack of any one-way hashing algorithm to obscure the passcodes makes one wonder why the authors bothered at all.

Then there were the passwords themselves. The average length was just six characters, short enough to be brute-force cracked in a matter of minutes in most cases. The passwords also contained a relatively small number of upper-case letters, numbers, and special characters. By sticking mostly to predictable lower-case letters, the hackers significantly reduced the “key space” required to carry out brute-force attacks. That plays to the favor of crackers, since small key spaces take much less time to exhaust. By using a more diverse set of characters to create passwords, key spaces become orders of magnitude larger, a dynamic that can quickly make brute-force cracking unfeasible. Based on a statistical analysis of the recovered passwords, Hýža constructed two character sets that stood the best chance of quickly cracking the remaining undeciphered passcodes. The shorter of the two contained just 28 characters: acdehiklmnorstu01234579!-.@_


You must be logged in to post a comment.