Last Updated: 2016-12-07 13:15:50 UTC
by Xavier Mertens (Version: 1)
New releases of bad or weak passwords lists are common on the Internet. Those lists compile passwords that are used by people to protect (even if it's not the most appropriate term) their accounts. But passwords are everywhere and also used to control access to devices. Recent attacks like the Mirai botnet which attacked IoT devices are a good example. Once infected, a device will start to search for new potential victims by scanning the Internet for some vulnerable ports (TCP/23, TCP/2323 are good examples), then brute-force the password by testing a list of well-known passwords. Those passwords are somewhere different than users' password but just as vulnerable.
While hunting, I found some interesting pieces of C source code that contained lists of passwords used by such infected devices. Keep in mind that a password considered as strong (your know the magic formula: a mix of upper/lower case characters, numbers and special characters) is useless if it is known in the wild!
Here is the list of passwords that I found to be used in the wild:
"" (empty string!) 00000000 1111 1111111 1234 12345 123456 54321 666666 7ujMko0admin 7ujMko0vizxv 888888 Zte521 admin admin1 admin1234 administrator anko default dreambox fucker guest hi3518 ikwb juantech jvbzd klv123 klv1234 meinsm pass password realtek root service smcadmin supervisor support system tech ubnt user vizxv xc3511 xmhdipc zlxx
If you have devices configured with one of those passwords, change it as soon as possible. Even, if your devices are not facing the internet! Feel free to share your list of passwords if you found others, I'm curious.
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant