Submitted by Ryan Barnett 02/09/2010
There has been a lot of Internet chatter recently about the RockYou passwords that were exposed when attacker's extracted them by using SQL Injection. This huge data set did offer a unique look into what types of passwords user will chose - if no password complexity rules are enforced.
These weak passwords are a critical component of the overall RISK equation, however they do not include perhaps the most important factor - are any of these passwords being used by attackers in actual brute force attacks? These passwords got me thinking and I went back into the data we have collected at the WASC Distributed Open Proxy Honeypot Project and specifically reviewed the top passwords targeted by attacker's during their Yahoo horizontal brute force attacks. Here is a listing of the top passwords that we have identified as used in these reverse/horizontal (when the attacker chooses one password and cycles through different usernames) attacks -
I attribute the absence of other common passwords (such as "password") to our small data set (~470 requests) compared to RockYou. I am assuming that our honeypots are only seeing small portions of this distributed scanning as our honeypots are but one of probably many proxies that attackers are sending their attacks through. So even though the data presented here is statistically insignificant compared to the size of the RockYou data set, it does provide corollary evidence of the passwords that are actually being targeted in brute force attacks.