Aug 13 2013

Weak Passwords Allow Fort Disco Brute Force Attack to Succeed

The simple act of choosing an effective password can go a long way toward securing systems and websites.

When it comes to security, system administrators hold the keys to the kingdom. Look no further than the Edward Snowden affair to understand the importance and ramifications of this role. Being a system administrator comes with many responsibilities, including maintaining administrative passwords for networks and websites. Unfortunately, when it comes to thinking up secure passwords, it appears that far too many sys admins lack imagination.

On August 7, Matt Bing, a research analyst for Arbor Networks, a security solutions provider, reported on a brute force attack campaign dubbed Fort Disco. In this attack a 25,000-machine botnet used brute force techniques against blog sites and content management systems. To date, more than 6,000 sites have been victimized by this attack.

The end goal of the malware campaign seemed to be access to the typically immense bandwidth of the data centers hosting these sites, allowing the attackers to carry out similar attacks on a much greater scale, among other things.

But the weak link here, which made this attack campaign viable, was the weak passwords that the malware proprietors easily cracked to gain access and wreak havoc. Among the brute force attempts carried out by this botnet, the two most successful password attempts — unbelievably — were “admin,” which was successful 893 times, and “123456,” which yielded access 588 times. (See below for the Top 10 Worst Passwords Ever).

Putting a little time and creativity into password selection can save a lot of grief. Strong password best-practice techniques include using at least seven characters; using a mixture of uppercase and lowercase letters, numerals, and symbols; avoiding personally identifiable information such as user name, birthday, street address or phone number; changing passwords on a regular basis; and not using a word that can be found in the dictionary as the full password.

If the password you’ve assigned to your network, server, etc., is as simple as the abc’s or the 123’s, you’re probably doing it wrong.

Top 10 Worst Passwords Ever
Password Number of Fort Disco Compromises
Admin 893
123456 588
123123 371
12345 360
{domain} 248
pass 218
123456789 171
1234 150
abc123 136
123321 131