Hackers Don’t Bother Trying to Guess Strong Passwords, New Research Shows

Here at Bitdefender, we’ve long stressed the importance of using strong, alphanumeric passwords. Using research, use-case scenarios, and fun campaigns, we’ve demonstrated that longer is better. Now, a researcher at Microsoft has evidence that suggests hackers might not even bother trying to guess your password if it’s too long or complex.

In a recent study of online behaviors, Bitdefender found that almost 60% of consumers could be deemed ‘exposed.’ Just 11% could be described as ‘secure’ in terms of their cybersecurity posture and practices. In a key finding, poor password management stood out as a core vulnerability.

A Microsoft researcher now cements the notion that password hygiene is indeed a critical vulnerability among internet users, showing that attackers prefer to work feasibly – by favoring weak passwords in their brute-force endeavors.

“I analysed the credentials entered from over >25 million brute force attacks against SSH. This is around 30 days of data in Microsoft’s sensor network,” Ross Bevington, head of Deception at Microsoft, tells The Record.

In security, deception describes the practice of setting up ‘honeypots’ (lures, traps etc.) to trick hackers into revealing their modus operandi.

“77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases,” said Bevington.

Only 7% of the brute-force attempts Bevington analyzed included a special character (#$%^&* etc.), 39% had at least one number, and none used passwords that included white space.

In other words, if you go to the trouble of setting up a 10-character password using letters, numbers and special characters – including spaces – you stand a very good chance of keeping your online accounts secure.

Food for thought.