Hackers don't bother brute-forcing long passwords

Stefan Mileschin · 24th November 2021, 12:59

Time for longer sentences

According to data collected by Microsoft's network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords.

It seems that hackers can’t be bothered with targeting credentials that are long or contain complex characters. While it has been known for ages that mixing numbers and letters together makes it difficult for hackers, most “secure” password systems don’t let you get away with “letters only” passwords. So a password like “thehillsarealivewiththesoundofmusic” would be ignored by a hacker as too hard but would be considered less secure than “pArsew0rd” by most security systems.

The report penned by Ross Bevington, a security researcher at Microsoft said that after looking at a million brute force attacks against SSH made up of 30 days of data in Microsoft's sensor network 77 percent of attempts used a password between one and seven characters. A password over ten characters was only seen in six percent of cases", said Bevington.

Bevington has the relatively cool tile of being Head of Deception at Microsoft which sounds like it should have a pretty broad remit. However, amongst his many deceptive roles are creating legitimate-looking honeypot systems to study attacker trends.

https://fudzilla.com/news/53922-hack...long-passwords

24th November 2021, 12:59	#1
Stefan Mileschin [M] Reviewer Join Date: May 2010 Location: Romania Posts: 148,797	Hackers don't bother brute-forcing long passwords Time for longer sentences According to data collected by Microsoft's network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords. It seems that hackers can’t be bothered with targeting credentials that are long or contain complex characters. While it has been known for ages that mixing numbers and letters together makes it difficult for hackers, most “secure” password systems don’t let you get away with “letters only” passwords. So a password like “thehillsarealivewiththesoundofmusic” would be ignored by a hacker as too hard but would be considered less secure than “pArsew0rd” by most security systems. The report penned by Ross Bevington, a security researcher at Microsoft said that after looking at a million brute force attacks against SSH made up of 30 days of data in Microsoft's sensor network 77 percent of attempts used a password between one and seven characters. A password over ten characters was only seen in six percent of cases", said Bevington. Bevington has the relatively cool tile of being Head of Deception at Microsoft which sounds like it should have a pretty broad remit. However, amongst his many deceptive roles are creating legitimate-looking honeypot systems to study attacker trends. https://fudzilla.com/news/53922-hack...long-passwords

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Don’t bother playing ‘South Park’ unless you’re a die-hard fan	Stefan Mileschin	WebNews	0	28th October 2017 08:05
HipChat resets all passwords after hackers break in	Stefan Mileschin	WebNews	0	26th April 2017 17:43
Motorola will not bother with monthly security updates	Stefan Mileschin	WebNews	0	29th July 2016 13:53
Mac keychain flaw can send your passwords to hackers via text	Stefan Mileschin	WebNews	0	3rd September 2015 07:07
Hackers leak Sony passwords, employee social security numbers and salaries	Stefan Mileschin	WebNews	0	8th December 2014 06:56
Hackers Just Exposed Thousands of Gamer Passwords	Stefan Mileschin	WebNews	0	24th November 2014 10:56
Hackers nick Facebook, Google, Twitter, Yahoo passwords	Stefan Mileschin	WebNews	0	6th December 2013 06:39
Don't even bother trying to upgrade to Windows RT 8.1 today	Stefan Mileschin	WebNews	0	21st October 2013 08:51
why bother to remember when you can just use Google?	jmke	WebNews	0	22nd July 2011 10:33
Brute force copying of HD DVD and Blu-ray successful	jmke	WebNews	0	3rd August 2006 12:55