Following up on some of the SSH brute force attack data we’ve previously presented, here are some statistics on the length of the passwords used in the attacks we’ve observed during the last six months. The graph below shows the number of attacks for passwords ranging from 1 to 20 characters in length.
Not surprisingly, most of the attacks are targeting passwords in the range 4-8 characters. Notice the significant drop after 8 characters, this is probably due to the fact that a lot of systems still enforces an 8-character upper limit. Another reason could be related to human laziness in selecting the lowest amount of characters allowed by the policy, which in all most every case sets the lower limit to 6, 7 or 8 characters. Most policies also defines the recommended length equal to the lower limit. Restricting the length of the password to an upper limit of 6-8 characters is fortunately no longer the case for modern operating systems, but as lower limits and recommendations are still kept at this length, it will be the main target for brute force attacks.
So, if your password is longer than 8 characters, you are dodging a whole lot of attacks. Of course, to gain a higher level of security, length is not the only factor to consider. It is essential that the password complies with a case sensitive alphanumeric character policy. Using special characters as well, such as underscore and slashes would further increase the password space.
As a side note, of the approximately 1.5 million attacks in this data set, 1408 attacks used passwords with more than 20 characters. Topping the statistics are 4 attacks that used a 122-character password, but using only numbers and lots of spaces it does not constitute a good password, if it indeed is an actual password. The longest password-looking string recorded is the following;
mt13hzxwUXu8PsT6KYExvLu5zgGEpC0vtmhVjg7KIWknhzfCalwVinh3rqyh7Ui We apologize if we’ve just now made your password public :)