IT admins are just as culpable for weak password use

New data from Outpost24 reveals that IT administrators could be just as predictable as end-users when it comes to passwords. An analysis of just over 1.8 million passwords ranks ‘admin’ as the most popular password with over 40,000 entries, with additional findings pointing to a continued acceptance of default passwords. 

This data on administrator credentials is obtained from Outpost24’s Threat Intelligence solution, Threat Compass, which provides actionable intelligence around stolen user credentials. Threat Compass detects compromised credentials obtained by malware and notifies security teams to mitigate the targeted threat as soon as possible.

What are default passwords?

A default (admin) password is the predefined password for a device, system, or application that is usually associated with the default account and intended to be used for the initial set-up. Default passwords are generally well-known (for example, admin, password, 12345), or can easily be found by simply looking up the product documentation, or just searching online. Default passwords are considered a security vulnerability as they are one of the easiest entry points for an attacker.

In recent years, new legislation has banned the use of default passwords, including the U.K. government’s Product Security and Telecommunication Infrastructure (PSTII) Bill, and the California default password law (Senate Bill 327).

Yet, despite their bad reputation, they are still widely used. While the data from our analysis was obtained from credential stealer software, a type of malware designed to target the applications capable of storing usernames, passwords, and other authentication credentials, most of the passwords in our list could have been easily guessed in a rather unsophisticated password-guessing attack.

Top 20 administrator passwords: Default, static, and just plain bad

To narrow down our password list to administrator passwords, we searched the statistical data stored in the Threat Compass backend for pages identified as Admin portals. We found a total of 1.8 million passwords recovered in 2023 (January to September).

The top 20 administrator passwords retrieved by Outpost24’s threat intelligence solution, Threat Compass:

  1. admin
  2. 123456
  3. 12345678
  4. 1234
  5. Password
  6. 123
  7. 12345
  8. admin123
  9. 123456789
  10. adminisp
  11. demo
  12. root
  13. 123123
  14. admin@123
  15. 123456aA@
  16. 01031974
  17. Admin@123
  18. 111111
  19. admin1234
  20. admin1

While our top 20 findings are limited to known and predictable passwords, the fact that they were associated with admin portals also tells us that bad actors are well equipped to target privileged users. Let’s review how malware can target IT professionals, and what passwords are vulnerable.

How password-stealing malware (stealers) works

Malware comes in many different shapes and forms. Through a variety of different social engineering tactics, bad actors will deliver the malware onto a target system. While phishing campaigns are the most widely known operation, the recent rise of organized cybercriminal groups, most notably Traffers teams, has generated more specialized malware delivery.

Traffers spread malware through YouTube videos or Google ads to fraudulent content. Administrators may be targeted with ads for IT administrator tools that will redirect them to another site. These rogue sites will then bundle the malware with legitimate software to avoid detection.

Once installed, the malware will quietly sit in the background and collect personal information about the user, such as the logins on a user’s computer, which can include:

  • Web browsers, for example Google Chrome.
  • FTP clients, for example WinSCP.
  • Mail client accounts, for example Microsoft Outlook.
  • Wallet files, for example Bitcoin.

Depending on the application, it can be simple to overcome the encryption mechanism to uncover the plaintext passwords for the user’s applications. For example, in Google Chrome, the malware puts in a request, on the victim’s behalf, to the browser’s encryption tool to decrypt information stored on your computer.

From there, the password will make its way to a marketplace where it will be sold to the highest bidder who can then use it in account takeover or credential stuffing attacks.  

Outpost24’s security recommendation

To secure passwords and consequently business data, there are two key takeaways. One is securing passwords through standard best practices, and the second is avoiding malware infection.

Best practices for securing passwords

Let us start with the obvious. Do not use default passwords, and always create a unique, long, strong, password for each account. Enforce these security measures across your network. Look for signs of poor admin password practices with tools like Specops Password Auditor (an Outpost24 company). This read-only tool scans your Active Directory environment for password-related vulnerabilities, including which accounts are using identical, blank, expired, and compromised passwords. Identical Active Directory passwords can be a sign you are not blocking common passwords or that admin users are using the same passwords across multiple accounts. Other admin password-related vulnerabilities the tool can look for include stale admin accounts, delegable admin accounts, and more.

Best practices against malware infection

This one is a bit more complicated. First, you need to stay on top of growing trends in the cybercriminal landscape. The ecosystem is constantly evolving and having a threat intelligence solution can help you identify the latest threats, and the security measures needed to stay protected.

For a practical approach against today’s threats, like the Traffers attack chain, we recommend:

  • Using an up-to-date anti-malware solution, like endpoint detection and response, and antivirus.
  • Disabling browser password saving, and auto-fill settings as credentials stored in web browsers can be easily retrieved by malware. 
  • Verifying that you have been redirected to the desired site after clicking on an ad, or link.
  • Paying close attention to domain typo-squatting, divergent content, and other red flags in a website.
  • Avoiding “cracked” software on corporate and personal devices.  
  • And finally, mitigating the risk of a targeted attack if user’s credentials are obtained by Malware. Learn more about Threat Compass.