New releases of bad or weak passwords lists are common[1][2] on the Internet. Those lists compile passwords that are used by people to protect (even if its not the most appropriate term) their accounts. But passwords are everywhere and also used to control access to devices. Recent attacks like the Mirai[3] botnet which attacked IoT devices are a good example. Once infected, a device will start to search for new potential victims by scanning the Internet for somevulnerable ports (TCP/23, TCP/2323 are good examples), then brute-force the password by testing a list of well-known passwords. Those passwords are somewhere different than users"> (empty string!)0000000011111111111123412345123456543216666667ujMko0admin7ujMko0vizxv888888Zte521adminadmin1admin1234administratorankodefaultdreamboxfuckerguesthi3518ikwbjuantechjvbzdklv123klv1234meinsmpasspasswordrealtekrootservicesmcadminsupervisorsupportsystemtechubntuservizxvxc3511xmhdipczlxx
If you have devices configured with one of those passwords, change it as soon as possible. Even, if yourdevices are not facing the internet! Feel free to share your list of passwords if you found others, Im curious.
[1]http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514
[2]http://www.passwordrandom.com/most-popular-passwords
[3]https://isc.sans.edu/forums/diary/The+Short+Life+of+a+Vulnerable+DVR+Connected+to+the+Internet/21543
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key