Attackers Don't Bother Brute-forcing Long Passwords, Microsoft Engineer Says

According to data collected by Microsoft's network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters. From a report: 'I analysed the credentials entered from over -- million brute force attacks against SSH. This is around 30 days of data in Microsoft's sensor network,' said Ross Bevington, a security researcher at Microsoft. '77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases,' said Bevington, who works as Head of Deception at Microsoft, a position in which he's tasked with creating legitimate-looking honeypot systems in order to study attacker trends.

Read more of this story at Slashdot.