(The fifth entry on the list, “12345,” inevitably brings to mind the excellent Spaceballs: “1-2-3-4-5? That’s the stupidest combination I’ve ever heard of in my life! That’s the kinda thing an idiot would have on his luggage!)”

Top Attacked Username and Password Pairs: Credentials

Every security team should make it a priority to ensure that the top attacked usernames and passwords, especially in combination, do not exist on any application. Proper access control is not a one-time effort. Access continually changes as new systems are deployed, new services are enabled, new employees are onboarded, or job roles change. Many enterprise environments have services that customers access and those rights change over time as well. Keeping up with appropriate access rights is an operationally intensive task so to help with prioritization, start with ensuring none of the following most attacked username and password pairs exist anywhere:

For the top 100 list of attacked user names and passwords, see the Hunt for IoT v5 Report on F5Labs.

It is worth noting that the most commonly attacked credentials are the vendor defaults for some of the most commonly used applications in enterprise environments today. Simply having a basic system hardening policy that ensures vendor default credentials are disabled or changed before the system goes live will prevent this common issue from becoming a painful breach. This is the reason system hardening is a requirement in every best practice security framework or compliance requirement.

Someone with compliance, audit, or security in their job title should be continually reviewing access to all systems. Commonly, security teams focus only on systems within the scope of some compliance or regulatory obligation, but fail to review the seemingly innocuous systems that could result in a major breach. Two casinos, one in the US and one in Europe, have been breached through thermometers in their lobby fish tanks. Target was breached through their HVAC system. These cases reinforce the importance of access control, no matter the nominal criticality of the system. Targeting SSH can provide attackers with access to commonly deployed enterprise applications, but also to seemingly innocuous IoT devices like a fish tank thermometer and HVAC system. As a result, every business connected to the internet needs to prioritize access control review.

Outside of continual access reviews, monitoring should be in place to detect access attacks. The F5 Security Incident Response Team (SIRT) commonly helps customers recover from brute force attacks they were not aware of because they didn’t have monitoring in place. Brute force attacks can not only lead to a breach, but they often cause performance impact on the targeted system or lock customers out of their accounts from the failed login attempts. Because of this, there is a significant financial incentive for any organization to get proper monitoring in place.