Hackers Rarely Brute-Force Passwords Longer Than 7 Characters

A Microsoft specialist has shared some interesting statistics: most cybercriminals prefer to brute-force only short passwords, and only a small percentage of attacks target longer passwords that include special characters.

The researcher collected this data from numerous honeypot servers he manages as part of his job, studying current trends among attackers. “I analyzed credentials used in more than 25,000,000 brute-force attacks on SSH,” says Microsoft expert Ross Bevington. “In 77% of cases, brute-force attempts targeted passwords between 1 and 7 characters long. Passwords longer than 10 characters appeared in only 6% of cases.”

Bevington also notes that only 7% of brute-force attacks included at least one special character, while 39% included at least one digit. None of the brute-force attempts considered passwords that might contain spaces.

These findings show that longer passwords containing special characters are likely protected from the vast majority of such attacks (as long as the credentials haven’t been leaked in some other way or included in attackers’ custom dictionaries and lists).

Bevington points out that, based on data from 14 billion brute-force attacks on Microsoft honeypot servers, RDP attacks have tripled compared to 2020, showing a 325% increase. Additionally, attacks on network printing services have risen by 178%, and attacks on Docker and Kubernetes have increased by 110%.

“The statistics for SSH and VNC are just as bad, but they haven’t changed much since last year,” the expert says. “By default, solutions like RDP are disabled, but if you decide to enable them, don’t expose everything directly to the internet. Remember, attackers will brute-force any remote administration protocol. If you need internet access, use strong passwords, managed credentials, and multi-factor authentication.”