Governance & Risk Management , Identity & Access Management , IT Risk Management
Why Are We So Stupid About Passwords? SSH and RDP Edition
Poor Credential Hygiene Leaves Remote Services at Risk of Brute Force AttacksIf remote access to corporate networks is only as secure as the weakest link, some dreadfully guessable usernames and passwords are all that stand between hackers and many organizations' most sensitive data.
See Also: How to Take the Complexity Out of Cybersecurity
So reports cybersecurity firm Rapid7, which used a few hundred honeypots to study how attackers attempt to remotely log in using the two most widely used types of remote administration systems - secure shell protocol and remote desktop protocol.
The impact of having attackers remotely access an organization - including via RDP and SSH - can be losing the confidentiality of sensitive information and malware infections, including ransomware. Clearly, the imperative is to ensure this sort of thing never happens (see: Ransomware Attack Vectors: RDP and Phishing Still Dominate).
Enter attackers, wielding lists of passwords. Based on the activity recorded by the honeypots - and setting aside attacks aimed at exploiting known vulnerabilities, as well as more general internet-scanning activity - Rapid7 found that criminals aiming to gain brute force access to remote access systems have collectively been wielding about half a million unique passwords.
The two most popular ones are depressingly familiar: "123456" and "password" (see: Why Are We *Still* So Stupid About Passwords?).
Of the approximately 500,000 unique passwords being employed, nearly every one also appeared in rockyou2021.txt
, which is a compilation of 8.4 billion passwords compiled from public data breaches and available on GitHub.
"We conclude from this observation that online credential attackers are not generating truly random passwords, but are instead working entirely off of lists of guessable passwords," Rapid7 researchers Tod Beardsley, Erick Galinkin and Curt Barnard write in the report.
In addition, Rapid7 found that "passwords that are observed more frequently are observed exponentially more frequently than the less common passwords." In other words, some passwords simply work more often than others.
The most commonly targeted passwords "were ones that should make any internet-literate person facepalm hard," Beardsley, who's Rapid7's director of research, says in a blog post.
"The three most popular usernames for RDP were 'administrator,' 'user' and 'admin.' The three most common passwords? Brace yourselves: 'root,' 'admin' and 'nproc,'" he says. "One of the most popular passwords was literally '123456' which is definitely not the combination to our luggage." For SSH, meanwhile, one of the top 20 passwords was a blank field.
Again, attackers use what works - and in case it's not obvious, "we're not doing well enough with our passwords," Beardsley says.
Essential Defenses
There are some easily applied remedies. For starters, organizations simply need to ensure they're using unique passwords, as well as making them relatively long and random.
If you think this sounds like a job for password management software, you're right.
"All of these things would be covered by the use of password manager services that create unique, random passwords for every one of your online accounts," Beardsley says. "We're not getting paid by these services to say this, I assure you. They just happen to be a strong but underutilized way to have good credential hygiene."
In addition, the report authors recommend that organizations do the following:
- Restrict access: There's a long list of essential steps that organizations should take to lock down RDP, including restricting all remote access attempts to only hosts that have been authenticated first via the corporate VPN, as well as changing the default RDP port to automatically sidestep many automated attacks.
- Eliminate defaults: Always change default SSH and RDP passwords, including for cloud services and internet of things devices, before deploying.
- Audit systems: Use a free tool such as Defaultinator, which Rapid7 developed to audit SSH and RDP endpoints, to ensure that production systems aren't using default passwords.
- Manage passwords: Encourage the use of password managers and, ideally, provide them to employees, as well as shared services to IT staff.
- Scan externally: Consider using external scans to identify internet-facing systems that appear to be using weak RDP or SSH credentials or reusing passwords.
Maybe one day we'll all live in a world filled with free food replicators, flying cars and no more passwords (see: Authenticate 2022: Experts Share Path to Passwordless Future).
But for now, not least when it comes to RDP and SSH passwords, we need to smarten up.