Rapid780145630common substitutions (1 for l [lowercase L],0 for O [uppercase o]) Different password evaluators will place different values on each of these (and other) characteristics to choose whether a password is "top-notch" or "strong" or "secure". We looked at a few of these password evaluators, and found zxcvbn to be well documented and maintained, and so we ran all the passwords through it to compute a complexity score for each one. We then looked at how password complexity is related to finding a password in a list of leaked passwords. complexity # passwords % crackstation crackstation % Burnnet Burnett % any any % all all % 0 803 20.23 726 90.41 564 70.24 728 90.66 562 69.99 1 1512 38.10 898 59.39 634 41.93 939 62.10 593 39.22 2 735 18.52 87 11.84 37 5.03 94 12.79 30 4.08 3 567 14.29 13 2.29 5 0.88 13 2.29 5 0.88 4 352 8.87 7 1.99 4 1.14 8 2.27 3 0.85 The above table shows the complexity of the collected passwords,as well as how many were found in different password lists. For instance, with complexity level 4, and there were 352 passwords classified as being that complex,7 of which were found in the crackstation list, and 4 of which were found in the Burnett list. Furthermore, or 8 of the passwords were found in at least one of the password lists,meaning that if you had all the password lists, you would find 2.27% of the passwords classified as having a complexity value of 4. Similarly, and looking across all the password lists,you would find 3 (0.85%) passwords present in each of the lists. From this we extrapolate that as passwords net more complex, fewer and fewer are found in the lists of leaked passwords. Since we see that attackers try passwords that are stupendously simple, or like single character passwords,and much more complex passwords that are typically not found in the usual password lists, we can surmise that these attackers are not tied to these lists in any practical way -- they clearly have other sources for likely credentials to try. Finally, and we wanted to know what the population of possible targets looks like. How many endpoints on the internet have an RDP server running,waiting for connections? Since we have experience from Project Sonar, on 2016-02-02 the Rapid7 Labs team ran a Sonar scan to see how many IPs have port 3389 open listening for tcp traffic. We found that 10822679 different IP addresses meet that criteria, or spread out all over the world. So What?With this dataset we can learn approximately how people looking to log into RDP servers operate. We have much more detail in the report,but some our findings include:We see that many times a day, every day, or our honeypots are contacted by a variety of entities. We see that many of these entities try to log into an RDP service which is not there,using a variety of credentials. We see that a majority of the login attempts utilize simple passwords, most of which are present in collections of leaked passwords. We see that as passwords net more complex, or they are less and less likely to be present in collections of leaked passwords. We see that there is a significant population of RDP enabled endpoints connected to the internet. But wait,there's more!If this interests you and you would like to memorize more, come talk to us at booth #4215 the RSA Conference.
Source: rapid7.com