Hacker passwords not much stronger than the average user's, researcher finds

Share this article:
Google says it is not a flaw that passwords saved in its web browser can be viewed in plain text.
Following an analysis, an AVAST researcher concluded that hacker passwords are relatively weak.

Hacker passwords are not all that much stronger than those used by the average user, according to an AVAST researcher.

Antonin Hýža, a virus lab analyst with AVAST who analyzed nearly 2,000 passwords this week, told SCMagazine.com in a Friday email correspondence that the passwords he studied were used by black hat hackers to gain illegal access to servers.

“When a hacker finds vulnerability in a website, [they] use a special file called a ‘shell' to gain control over the website,” Hýža said. “AVAST detects shell as malware to help administrators identify infected websites. Those shells are usually protected by password so no other hacker could use it.”

The AVAST virus lab had 40,000 malware samples to work with and, in those, 1,901 were found to have unique passwords, Hýža said, adding that many of the shells were found on websites that had been defaced.

“The password can be stored in two ways, decrypted [plain text] or encrypted [hash],” Hýža said. “AVAST virus lab found 1,255 passwords in plain text and 646 passwords encrypted with MD5 algorithm, and was able to recover 346 encrypted passwords to their original, plain text form.”

Roughly 10 percent of passwords were beyond normal cracking capabilities, and some passwords were as long as 75 characters, Hýža said, adding many consisted of nicknames, or names of hacker groups, mixed with special characters.

So what are the most used passwords?

Hýža concluded that the most frequently used word in the English dictionary is ‘hack,' but he also determined that there were several variations of the words ‘pass,' ‘root,' and ‘hax.' Hýža added that several shells had default passwords, such as ‘r57,' ‘c99,' ‘password,' and ‘yourpass.'

Breaking it down, Hýža found that 58 percent of passwords only used lowercase English alphabet letters, 20 percent contained a mixture of lowercase English alphabet letters and numbers, nine percent were only numbers, five percent contained uppercase and lowercase English alphabet letters, and two percent contained a mixture of uppercase and lowercase English alphabet letters and numbers. Six percent of passwords contained special characters.

Hýža found that the average password length was six characters, with the majority of passwords falling between three and eight characters. Only 52 passwords were longer than 12 characters.

Hýža said that the number ‘1' is the most used numeral, with 356 occurrences, the letter ‘a' is the most used lowercase letter, with more than 800 occurrences, and the letter ‘S' is the most used uppercase letter, with more than 25 occurrences.

Additionally, some hackers used leet speak, meaning English letters are replaced with similar looking numbers, such as an ‘I' being replaced with ‘1,' or an ‘A' being replaced with ‘4.'

“[I] was a little bit surprised that only 10 to 15 percent of the hackers used strong passwords,” Hýža said, “A good password should be at least 10 characters long, such as a sentence.”

Hýža said this study will help AVAST virus lab access malware faster in the future and create stronger malware signatures.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS