Password usage analysis of brute force attacks on honeypot servers

Password usage analysis of brute force attacks on honeypot servers

As Microsoft’s Head of Deception, Ross Bevington is responsible for setting up and maintaining honeypots that look like legitimate systems and servers.

Honeypot systems are designed to pose as an attractive target for attackers. Sometimes they are left vulnerable to create a controllable and safe environment to study ongoing attacks. This provides researchers with data on how attackers operate and enables them to study different threats.

In Bevington’s words:

“I develop and lecture on these technologies with emphasis on the human behind the keyboard and how to integrate Deception into general security posture.”

Now, Bevington has released information gathered from Microsoft honeypots of over 25 million brute force attacks against SSH.


Secure Shell (SSH) is a protocol optimized for Linux server access, but it can be used across any operating system’s server. Remote Desktop Protocol (RDP) is almost exclusively used for accessing Windows virtual machines and physical Windows servers. Based on data provided by Bevington, which were taken from more than 14 billion brute-force attack attempts against Microsoft’s network of honeypot servers until September this year, attacks on Remote Desktop Protocol (RDP) servers have seen a rise of 325%.

RDP is one of the most popular targets because it is a front door to your computer that can be opened from the Internet by anyone with the right password. And because of the ongoing pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened.

The data

What the research data analysis looked at were the credentials that were attempted during more than 25 million brute force attacks against the Microsoft honeypot systems, which roughly represents a period of 30 days.

Some highlights of these results:

  • 77% of the passwords were between 1 and 7 characters long
  • Only 6% of the passwords were longer than 10 characters
  • 39% of the passwords contained at least one number
  • None of the attempted passwords contained a space


The data above can help you determine whether a password is more secure than another. But, there are some caveats. Passwords need to be long and complex because it’s their length, complexity and uniqueness that determines how difficult they are to crack.

However, you can have the longest password in the world, but if it has been leaked in a breach there is a chance that an attacker will add it to their dictionary. This is the reason we tell you not to re-use your passwords. It’s inconvenient to lose one in a breach, but if that means having to change your password on multiple sites and services, it’s a major inconvenience.

In an older study by Microsoft, it was determined that users should spend less effort on password management issues for don’t-care and lower consequence accounts, allowing more effort on higher consequence accounts. Unless you are using a password manager doing the work for you, of course. Your efforts to come up with a strong password are wasted at sites that store passwords in plaintext or reversibly encrypted.

Sites that require minimum length and/or use other complexity standards have always been a major annoyance. Not only because every site uses a different standard, some of which have been made obsolete, they also encourage users to come up with simple passwords that just barely meet the standard. Am I right, MyDogsName1 and P@$$w0rd?

One of the recommendations of the earlier Microsoft study was that organizations should invest their own resources in securing systems rather than simply offloading the cost to end users in the form of advice, demands or enforcement policies that are often pointless.

The fact that none of the attempts contained a space looks favorable for insights that recommend using three random words separated by spaces. Easy to remember, type in (especially on smaller devices) and harder to guess.

Passwordless future

Not too long ago, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services. We talked that over with a world expert on passwords, Per Thorsheim, and while we will welcome the passwordless future, there are some concerns when it comes to account recovery and what may happen when people lose access to their choice of authenticator.

How to protect your organization from brute force attacks

The ground rules of protecting against remote online attacks are basically:

  • Limit the number of open ports
  • Restrict the access to those that need it
  • Enhance security of the port and the protocol

There are applications that can help you accomplish these basic tasks if you feel the built-in tools are too hard to configure.

Restricting the access is the point of this post. Telling us that a password alone is not always enough. And when you rely on passwords make sure to choose them wisely.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.