Hello and welcome to the Thursday, October 2nd, 2025 edition of the Sands Internet Storms Centers.

Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu master's degree program in information security

engineering. Today's diary comes yet again from one of our undercreated interns. Trayton

Barwick wrote this diary looking at the passwords collected by the Honeypot and then comparing

them to the have I been a pawned to the Have I Been Poned list.

Have I Been Pond you're probably familiar with is a website that does collect passwords from

password breaches and you can look up if a particular password has already been leaked in one of

these breaches and that's what Trayton is doing here

with a script. This script will first of all summarize and extract all the passwords from the

Honeypot logs and then compare them to the half-have-been-poned list. No big surprise? Well,

most of the passwords are in the half-I-be-boned list.

And that in part is because often default passwords are being attempted, but also credential

stuffing where attackers are attempting to use passwords that were specifically found in prior breaches.

Now then, Trayton took a closer look at the remaining 7% of passwords that didn't show up

in half-have-been-poned, and many of them were derivatives of passwords, like, for example,

changing the year and things like this or adding a couple special characters.

Probably the attackers attempt here to expand on the patterns

that are commonly seen in these league password lists

to hopefully gather and hit a couple passwords

that maybe the competition hasn't attempted yet.

And tall came me with Clutch Security published an interesting vulnerability report for One Login.

...