Hello and welcome to the Tuesday, September 5th, 2020,

edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from London, England.

Well, given the long weekend, we have a couple of diaries to catch up on first one by Jesse, looking at the origin of some of

the passwords being found in our S.H and Telnet data. This is typically Prooforce password data.

Now, the top passwords being found here are common default passwords.

But what Jesse did is to dive deeper into the passwords.

He looked at 250,000 passwords that were used against his own honeypot.

And then compared them to the half-a-bin-poned list as well as the Roku list. What surprised me a little bit

is that there is still, I think, about 30% of the data that was in neither list. Now, some of

the passwords being captured by our honeypots are actually not meant to be used as passwords.

And Jesse talks a little bit about this.

So, for example, sometimes you find essentially bash commands in the password field.

That's often by fairly sort of simplistic bots that just throw the data at the honeypot

and don't necessarily worry about whether or not the attacker is actually logged in.

So after the initial use and when password is rejected,

when they are then starting sending bash commands,

they end up again in password fields,

which are then logged as passwords.

Also kind of interesting that even some very long passwords being used against the honeypots,

some exceeding 40 characters, can then be identified in the half-up-in-poned list.

So attackers are certainly using some of these leaked passwords in order to help

...