Microsoft has released data from a honeypot project designed to mimic an FTP server and document dictionary-based password attacks. The project, which involved a network protocol analyzer in Microsoft's Dublin-based malware research lab, found that the majority of the password attacks were automated, and not carried out directly by the attackers.
"Most of the probing is done from compromised systems that are connected to a password-protected IRC channel and are waiting for commands", Microsoft said. "One such command is to scan and identify other vulnerable hosts."
The average password length tried during an attack was eight characters. The average user name length was six characters. However, the company pointed out that password lengths of up to 29 characters were tried, along with user names of up to 15 characters.
This information highlights the need for very strong passwords, said Microsoft. "Even a long password (10 to 15, or even 20 characters) isn’t good enough if it’s dictionary-based", it said. "There are passwords in dictionaries that are even using special characters (for example #!comment: ), not only numbers and letters."
The most common user name used in an automated attack was 'Administrator', and the most common password was 'password'.
Microsoft recommended using special characters, and avoiding mixing characters in 'l33t' mode (where, for example, the character '3' is substituted for 'e'). Longer passwords are also better, it said.