IT administrators’ passwords are awful too

The key is under the doormat by the front door.

The administrator password is “admin”.

These are easy to remember clues when you are providing entrance to someone you trust. The problem is that they are also enormously easy to guess. It’s where we would expect an unwanted visitor to check first, before breaking out the toolbox.

Random end users could be forgiven for relying on such obviously insecure habits, but what about professionals who job it is to keep things safe and secure? Research has revealed that IT administrators are just as likely to do the tech equivalent of putting the key under the mat as end users, with both groups using similarly predictable passwords.

The top 10 passwords assembled by the researchers looks like this:

  1. Admin
  2. 123456
  3. 12345678
  4. 1234
  5. Password
  6. 123
  7. 12345
  8. admin123
  9. 123456789
  10. adminisp

The first 10 entries in a password dictionary we found online:

  1. 123456
  2. Password
  3. 12345678
  4. Qwerty
  5. 12345
  6. 123456789
  7. Letmein
  8. 1234567
  9. Football
  10. iloveyou

Part of the popularity of passwords like admin, password, and 12345 might lie in the fact that they are often used as defaults. You know, the ones used during an initial setup that are supposed to be changed. Default passwords, even if they are more complex, have the huge disadvantage that they can be found by simply looking up the product documentation in a search engine.

For that reason, using default passwords is considered a serious security risk. There are three different types of password attack that will discover passwords like admin or 12345 almost immediately:

  • Password spraying uses short lists of the most well known passwords on as many computers as possible.
  • Credential stuffing looks for reused passwords by trying usernames and passwords from breached websites.
  • Dictionary attacks look for passwords by trying password dictionaries of common words.

Do you see the resemblance? Added with a little knowledge about the required length of the password, the attacker is going to have a field day. They wouldn’t even need a program to try these options. This can easily enough be done manually.

There is one glimmer of hope remaining after we read this. We hope that IT administrators know that passwords alone are not secure enough for important assets and will have added an extra layer of security in the form of multi-factor authentication (MFA).

As I wrote before, and will probably repeat in the future, multi-factor authentication is so much more secure, and with that a lot more forgiving, than passwords alone. I would not recommend it, but writing down your password on a Post-It and pasting it on your monitor won’t do an attacker any good if you have set up your MFA properly. Also not recommended, but you could even re-use your weak password on every site, as long as all those accounts were protected with the most effective form of MFA.

So, dear IT administrators, we can only hope that MFA is your defense strategy. But you should realize that by making your passwords so easy to guess, it doesn’t really deserve to be categorized as “multi” factor authentication, because you are giving the first factor away.

Your access rights are something that any cybercriminal would love to take over. Think of what they might be able to do, by being able to log in as you, so don’t give them that chance. Don’t be the weak link. While end users sometimes complain about the hassle of using a password manager, they shouldn’t really be a problem for you. Be a shining example.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.