Microsoft Malware Protection Center.
Do and don’ts for p@$$w0rd$
Almost a year ago, we started a project designed to monitor incoming attacks against a normal user on a day-to-day basis. We presented you with details about the geographical area from where the attacks originated and what services were targeted, and we gave you just a hint about FTP dictionary-based attacks. Now we’re going into a bit more detail about the passwords, having so far gathered hundreds of user names and tens of thousands of passwords that have been used in automated attacks in the last couple of months. Most of them were collected by our (fake) FTP server, which is designed to emulate a small part of the FTP protocol and log the information so that it’s easy to process.
As you can see below in the statistics, the length of the passwords is quite interesting, mainly because the average length according to our data is 8 characters and that’s quite close to the length of the passwords that many people use for their Internet accounts.
Statistics about user names and passwords:
- Longest user name: 15 chars
- Longest password: 29 chars
- Average user name length: 6 chars
- Average password length: 8 chars
Here is a top 10 list with the most common user names used in automated attacks:
Read more
Microsoft’s password checker
