Quick Password Brute Forcing Evolution Statistics, (Tue, Jun 24th) SANS Internet Storm Center, InfoCON: green

June 24, 2025

We have collected SSH and telnet honeypot data in various forms for about 10 years. Yesterday&#;x26;#;39;s diaries, and looking at some new usernames attempted earlier today, made me wonder if botnets just add new usernames or remove old ones from their lists. So I pulled some data from our database to test this hypothesis. I didn&#;x26;#;39;t spend a lot of time on this, and this could use a more detailed analysis. But here is a preliminary result: 

We have collected SSH and telnet honeypot data in various forms for about 10 years. Yesterday’s diaries, and looking at some new usernames attempted earlier today, made me wonder if botnets just add new usernames or remove old ones from their lists. So I pulled some data from our database to test this hypothesis. I didn’t spend a lot of time on this, and this could use a more detailed analysis. But here is a preliminary result:

The average username/password combinations has increased, but not steadily. I only went back to 2018 as we have more consistent data starting in 2018. Scans began with about 10-20 username/password combinations attempted from each source IP, and more recently, bots attempted around 50 username/password combinations. 

number of average username/password combinations per source IP

The graph shows each source IP address’s average username/password combination count.

Next, I checked to see if the average password length had changed. Interestingly, there was a “peak” in password length around late 2018/early 2019. But otherwise, it has been very steady at around eight characters. Password brute forcing from bots like Mirai is not about password complexity. We have complex default passwords, like 3245gs5662d34, that are regularly in our top ten scanned passwords because this password is a well-known default password for a popular video camera system. Many default passwords are around eight characters long (like “password”), which explains the popularity of passwords around that length.

average password length attempted in brute force attempts

 

 


Johannes B. Ullrich, Ph.D. Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. 

Read More

Share

In The News

Tech Jacks
Derrick Jackson is a IT Security Professional with over 10 years of experience in Cybersecurity, Risk, & Compliance and over 15 Years of Experience in Enterprise Information Technology

Leave A Reply


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.