Hackers mostly try obvious passwords, exploiting poor security, rather than performing difficult exploits, according to a study which left computers online with weak passwords.
The four Linux computers were hit by some 270,000 intrusion attempts - about one attempt every 39 seconds, during a 42-day period, according to the study by a researcher at the University of Maryland who wanted to see how hackers would attack them
Among the key findings: weak passwords really do make hackers' jobs much easier, and an improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.
The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems - and what they do once they gain access.
Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.
Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between 14 November and 8 December at the school.
Cukier was not surprised by what he found. ‘Root’ was the top guess by dictionary scripts in about 12.34 percent of the attempts, while ‘admin’ was tried 1.63 percent of the time. The word ‘test’ was tried as a username 1.12 percent of the time, while ‘guest’ was tried 0.84 percent of the time, according to the experiment's logs.
The dictionary script software tried 43 percent of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.
Once inside the systems, hackers conducted several typical actions, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, and loading and installing a program.
For IT security workers, the study reinforced the obvious. ‘Weak passwords are a real issue,’ Cukier said.
At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.
"That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."
Users can use the title of a favourite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence ... without having to write it down," Cukier said.