9840518456?profile=RESIZE_400xMicrosoft (MS) announced recently that data collected by its network of honeypot servers, that most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters.

“I analyzed the credentials entered from over >25 million brute force attacks against SSH.  This is around 30 days of data in Microsoft’s sensor network,” said a security researcher at Microsoft.  77% of attempts used a password between 1 and 7 characters.  A password over 10 characters was only seen in 6% of cases,” said the researcher who works as Head of Deception at Microsoft, a position in which he’s tasked with creating legitimate-looking honeypot systems in order to study attacker trends.

Microsoft says that only 7% of the brute-force attempts it analyzed in the sample data included a special character.  In addition, 39% actually had at least one number, and none of the brute-force attempts used passwords that included white space.

The researcher’s findings suggest that longer passwords that include special characters are most likely safe from most brute-force attacks, as long as they have not been leaked online and are part of attackers’ brute-forcing dictionaries.

RDP brute-force attacks have tripled this year.  In addition, Bevington said that based on data from more than 14 billion brute-force attacks attempted against Microsoft’s network of honeypot servers —also known as a sensor network— until September this year, attacks on Remote Desktop Protocol (RDP) servers have tripled compared to 2020, seeing a rise of 325%.

Network printing services also saw an increase of 178%, as well as Docker and Kubernetes systems, which saw an increase of 110%.

“Stats on SSH & VNC are just as bad; they just has not changed that much since last year,” MS said.  “By default, solutions like RDP are turned off but if you decide to turn them on, don’t put stuff straight on the Internet.  Remember that attackers will go after any brute forcible remote admin protocol.  If you must have yours accessible on the Internet use strong passwords, managed identity, MFA,” the Microsoft manager said.[1]

In a SecureAuth survey, 62% of respondents claimed to use the same password across three to seven different accounts. It begs the question: If passwords play an integral role in cybersecurity performance, why are people so remiss when it comes to practicing good password hygiene?  Practicing good password hygiene is a security measure that organizations must take to protect against cyber threats. With concerns rising over data breaches, organizations must teach employees to take the necessary password protection measures to avoid attacks and compliance headaches.[2]

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com     The longer a password, the more secure it is. A strong password should be at least 12 characters long.  A strong password should be at least 12 characters long.  Random: Strong passwords use a combination of letters, numbers, cases, and symbols to form an unpredictable string of characters that does not resemble words or names.

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


[1] https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/

[2] https://securityscorecard.com/blog/how-to-ensure-password-hygiene-at-your-organization

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance