Passwords Submitted To Honeypots

Heya,

I thought this look at the passwords submitted to DShield Honeypots was interesting. These honeypots are run by the Internet Storm Center and are “low interaction honeypot that allows us to collect data for research purposes”.

If you aren’t a security researcher, a honeypot is:

a manufactured attack target to lure cybercriminals away from legitimate targets. They also gather intelligence about the identity, methods and motivations of adversaries.

The post looks at the source and attributes of passwords submitted. The honeypot stores them in clear text, which means the author can do some analysis on them which would be difficult if only the hashes were known.

Some key takeaways:

• the most common password length is 8 characters

• strings any human would know are not passwords, such as HTTP headers or terminal commands, are also submitted

• password breach data is often used in credential stuffing attacks

There’s also a bit of python performance commentary, some statistics about password length frequencies, and some security based todos for people who use passwords.

It’s a good read.

Dan