By Todd R. Weiss
February 06, 2007
Left online for 24 days to see how hackers would attack them, four Linux
computers with weak passwords were hit by some 270,000 intrusion
attempts -- about one attempt every 39 seconds, according to a study
conducted by a researcher at the University of Maryland.
Among the key findings: Weak passwords really do make hackers' jobs much
easier. The study also found that improved selection of usernames and
associated passwords can make a big difference in whether attackers get
into someone's computer.
The study was led by Michel Cukier, an assistant professor of mechanical
engineering and an affiliate of the university's Clark School Center for
Risk and Reliability and Institute for Systems Research. His goal was to
look at how hackers behave when they attack computer systems -- and what
they do once they gain access.
Using software tools that help hackers guess usernames and passwords,
the study logged the most common words hackers tried to use to log into
the systems. Cukier and two graduate students found that most attacks
were conducted by hackers using dictionary scripts, which run through
lists of common usernames and passwords in attempts to break into a
Some 825 of the attacks were ultimately successful and the hackers were
able to log into the systems. The study was conducted between Nov. 14
and Dec. 8 at the school.
Cukier was not surprised by what he found. "Root" was the top guess by
dictionary scripts in about 12.34% of the attempts, while "admin" was
tried 1.63% of the time. The word "test" was tried as a username 1.12%
of the time, while "guest" was tried 0.84% of the time, according to the
The dictionary script software tried 43% of the time to use the same
username word as a password to try to gain entrance into the affected
systems, Cukier said. The reason, he said, is that hackers try for the
simplest combinations because they just might work.
Once inside the systems, hackers conducted several typical inquiries, he
said, including checking software configurations, changing passwords,
checking the hardware and/or software configuration again, downloading a
file, installing the downloaded program and then running it.
For IT security workers, the study reinforced the obvious. "Weak
passwords are a real issue," Cukier said.
At the University of Maryland, users are told that passwords should
include at least eight characters, with at least one uppercase letter
and one lowercase. The school also recommends that at least one
character be a number or punctuation symbol, Cukier said. All passwords
should be changed every 180 days, according to the university's
"That's really reasonable," Cukier said of the guidelines. "It's not
helpful if the password is so complicated that people don't remember it
and [therefore] write it down on a sticky note next to their computer."
Users can use the title of a favorite book for a password or even the
first letters from a memorable sentence, he said. "They'll be easy for
you to remember because you'll be able to remember the sentence ...
without having to write it down," Cukier said.
Subscribe to the InfoSec News RSS Feed