Bad Passwords Seen in the Wild

I noticed another “brute force” attack on my site recently, trying username and password combinations repeatedly to try to break in. There were 130 attempts made, starting November 27th and continuing through the 30th. The username used in these attempts was always “admin”; 116 unique passwords were tried with it.

[Update, February 2018: in a couple of other brute force password attacks since this post was first written in December 2017, “administrator” and “curiousprog” – the name of the web site – were tried as as usernames as well as passwords, with a wide variety of passwords similar to what’s cited below. Avoid using any of these user names for any logins on your website!]

There were several common themes in the passwords being tried. Here are some samples:

  • admin, admin123, Admin, administrator, demo, editor, guest, user, webmaster: variations on common administration or other account usernames
  • root: the common Linux name for the administrator username
  •, curiousprog: the domain name of the website was tried as the password
  • Variations on the word “password”: password, password1, pass, p@ssw0rd, p@$$w0rd (the latter being “leet” versions of “password”, replacing “a” with “@”, “o” with “0”, “s” with “$”)
  • Sequences of keys in rows on the computer keyboard: qwerty, asdfgh, zxcvbn, 123456, qwe123
  • Column-wise sequences of keys on the keyboard: qazwsx
  • Single digits or letters: 0, 1, P
  • Repeated sequences of numbers: 111111, 222222, 333333 through 999999
  • Miscellaneous other passwords: secret, love, iloveyou, xxx

These passwords reflect attempts by site owners to create passwords that they can easily remember and enter, but they’re a little too easy, too obvious – something that hackers look for when trying to break in to a server.

If you’re using one of these passwords, take a moment to change it to something less obvious, otherwise you’re leaving your site open to attack! Follow good practices for creating secure usernames and passwords and monitor your site for unexpected users.

What Can Be Done?

Never select an easy to guess password like the ones shown above. Avoid using single words or short sequences of characters. Don’t use discoverable personal data like your birthdate as a password. Create a password that is at least 8 characters long. Select a memorable phrase – several words strung together, with some numbers and punctuation marks inserted in between. Notably, very few of the passwords tried in this attack had punctuation marks in them – only ones that were using “leet” to try to make the password more obscure (leet has been around for a long time and is too well known to be safely used to strengthen passwords).

Never use “admin” as a username OR password on your WordPress site. Pick a name that’s in no way related to administration or use of WordPress or other software or computer systems. This means that the common user roles on WordPress, “editor”, “author”, “contributor”, “subscriber” should be avoided, as well as “administrator” (from Windows) and “root” and “superuser” (used on Linux systems). Avoid the temptation to dash off “admin” as the initial username when creating that next WordPress site – it can cut a hacker’s work significantly!

Hackers can do damage to a site in many ways, but they can’t do anything if they can’t break in. Choose secure usernames and passwords to prevent hackers from getting access to your site in the first place!


A recent article on secure passwords from Wired magazine:
Take These 7 Steps Now to Reach Password Perfection

The worst passwords of 2015 and earlier, and how to pick better ones; a couple of years old now, but still relevant:
Worst, most common passwords for the last 5 years | Computerworld

Why passwords have never been weaker – and crackers have never been stronger | Ars Technica

What is Leet? (Wikipedia)

Add a Comment

Your email address will not be published.