Bots, passwords, short strings, and simple characters

About a month ago I got curious about bots that target WordPress sites. I use the Limit Login Attempts plugin and every time I got an alert that an IP had been limited it was always for the username ‘admin’. I had never thought much about it, but it makes sense as an attack vector given how many people probably do use that name. What I wondered was what sorts of attacks they were trying. In particular, the passwords they used seemed most interesting.

So I started writing a new plugin, Admin Login Notifier, which you can also fork it on Github if you’re into that kind of thing. Admin Login Notifier does pretty much what it sounds like — it grabs the password when someone tries to login as ‘admin’ and notifies you. Originally it sent an email for each attempt, now it saves them in a dashboard page and sends a daily email digest.

It’s been running on my site for a couple weeks and, as of this morning, has caught over 1,000 attempts. I decided it would be interesting to look at the list and see what these bots are up to. Until recently, the passwords were all in emails (and not saved elsewhere) so aggregating them was a bit of a pain. Because of some different formats I used in the emails, I ended up only exporting 920 of them, which you can see here.

I was especially curious about the strength of passwords used by bots, which I decided to break down into four really basic metrics:

  • Length — Just the number of characters in a password
  • Uniqueness — The number of unique characters in a password
  • Complexity — The number of character types in a password, like uppercase letters, or symbols
  • Repetition — How often bots tried the same passwords as other bots (or as themselves)

Here is the script I used.

And here are the results. You can do this yourself by saving the password list as sample.txt in the same directory as this script.

Average length: 6.2 characters
Average unique characters: 4.8 characters
Average character types: 1.2 types
Repetition: 17% of password attempts were repeats of other attempts

Hopefully you can learn a few things of this. First, you should learn not to use the username ‘admin’. Beyond there, here are a couple of conclusions. None of these are particularly noteworthy, and each ought to sound familiar if you’ve read any other password advice on the web.

  • Use long passwords. Bots try pretty short passwords, so you should use long passwords. There are mathematical reasons for doing this, too. But we’re sticking to empirical data for this post.
  • Use lots of characters. Although the average pasword attempt was just over 6 characters, they contained 25% fewer unique characters. Bots try a lot of repeated characters, likely because people repeat characters to make their passwords easier to remember. Don’t do that.
  • Use multiple character types. 80% of all attempts used only one character type.
  • Don’t use passwords found on things like “Most commonly used passwords” lists. 1 in 6 passwords that bots attempt are repeats. Don’t make their jobs easier.

Admin Login Notifier isn’t terribly useful, but it is kind of fun and I’m glad it helped me get a look at this data.