Why do usernames matter?
Since early yesterday afternoon, a M35 Web Design client’s website has been the target of a ‘brute force attack’. A brute force attack is an attempt by a hacker to crack a website’s usernames and passwords and/or to find hidden web pages, using a trial and error approach. The hacker is a ‘bot’ (computer), whose sole purpose is to login to a website and then cause havoc in whatever way it can.
The particular bot that is attacking the client’s site is located in Vietnam and, on average, has been attempting to login to their site every six minutes or so. As I write this it’s still trying to find a way in, although the attempts have slowed down considerably.
How does a brute force attack work?
Firstly, the bot needs to find a valid login page so it can attempt to login to the site. Then, by working through a dictionary of possible usernames and passwords, it will repeatedly try different combinations hoping to find one that works. Sometimes hackers will recycle usernames and passwords from other data breaches to see if they work on other systems – they might just hit lucky.
This Vietnamese bot has tried some of the following as usernames, and some it’s tried repeatedly:
1
111
123
123123
1234
12345
123456
12345678
Admin
AnonymousFox
Mr.Ya3sine
admin1
admina
author
demo
dexter
editor
education
gary
guest
kenneth
left_blank
linda
linoleumjet
lucas
magico
manager
mark
member
milkwood
patricia
petar
preview
price
qwerty
root
sophie
student
subscriber
support
temp
test
test1
test123
test2
teste
tester
testing
testuser
user
user1
username
visiteur
wpmu
wpupdateuser
z_r
The point of this post is that you can see, from the above, that the hacker is trying out some quite common names, words and number patterns to see if they will work. It will also be trying to guess passwords in a similar way.
I should also mention that brute force attacks are fairly commonplace, but many site owners/webmasters don’t even realise when a site is under attack. Hopefully security procedures are already in place that will stop a hacker getting in, but sometimes a site is unprotected. That said, even the best protection won’t stop a completely determined hacker.
Think random…
The words tried out by the Vietnamese hacker show just how important it is to choose your username carefully when you register on a website. Think random – don’t use known words, definitely not your name, middle name, child’s name, dog’s name or anything that can be guessed via checking out Facebook etc. Use ten letters/numbers if you can, or more if you are able to.
An example of a good username: JKaQ$bXz8Pg
A bit about passwords (and size matters)
With regards to secure passwords, try to string together at least three UNRELATED words – or preferably four – to make complex pass phrases. You can also use random symbols, e.g. $ or @, although not all sites let you use these in a password.
An example of a good password: PurseTreeLeatherDogBanana
or
Kg6$XdQv8m@b
Finally, it’s somewhat ironic to see that the last username guess our Vietnamese bot tried to login with was ‘secure’.
