Don't use 1234 as your password

The very first time I tried Linux, after spending an entire day downloading Slackware, copying it to a set of install diskettes, partitioning a hard drive and installing it, I set my root password to &quot;12345&quot;.<p>I was around 10 at the time, 1995 plus or minus a year or two.<p>After booting for the first time, I dialed up AOL and logged on to a Linux-topic IRC channel. I talked to the strangers there about how excited I was to try Linux for the first time.<p>I quit my IRC client and typed &quot;ls&quot;. Command not found. I tried &quot;uptime&quot;. Command not find. &quot;cd&quot;. Command not found.<p>While I was on IRC, someone had telnet&#x27;d in, guessed my stupidly simple password, and rm -rf&#x27;d the whole hard disk. I cried over breaking the computer and had to be consoled by my parents. I never used a common password again.<p>I now miss the days when hackers and viruses alike just wanted to delete your files or print messages on your screen. Secretly taking over your still-functioning system is much nastier.

I&#x27;m pretty sure, based on that post, that you have a fair bit more system administration experience than I do, which makes the whole thing even more boggling.<p>I feel like a professional auto mechanic is telling me, all serious-like, that he just learned the hard way why you shouldn&#x27;t try to drive while running alongside your car, reaching through the window to work the steering wheel, with a brick on the accelerator.

I found a 68K SGI Iris 2400 machine up and running in college in about 2004. It had a sticker with the hostname on it. Later on that week, I went to the department homepage, got the staff roster and tried to guess the usernames.<p>I telnetted to port 25 and tried RCPT TO hypothesized names, like so<p><pre><code> $ telnet host 25 MAIL FROM: a@a.com 250 Sender OK RCPT TO: afranks 550 Recipient not found RCPT TO: arty.franks 250 Recipient OK</code></pre> ...<p>With this list of usernames I logged into the FTP to try to guess trivial passwords:<p><pre><code> $ telnet host 21 USER arty.franks User OK PASS 1234 Login failed PASS password</code></pre> ...<p>Eventually I got a valid username&#x2F;password combo.<p>Now I can just telnet &lt;host&gt; and log in. I got a line like this:<p><pre><code> Last login April 12, 1992. $ </code></pre> It had this ancient version of IRIX on it, a hard drive under 100 MB, no X, a version of egcs, some ancient version of perl, no bash, and I think 12MB of RAM?<p>It was fun, but I didn&#x27;t know what I wanted to do with it. We executed this attack from the school library. Putz&#x27;d around a bit, in amazement of how old it was, and that it was still online, and then logged out - never to return.<p><a href="https://www.youtube.com/watch?v=9EEY87HAHzk" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=9EEY87HAHzk</a> - a video of the machine

Quick and simple solution. If you are only using key based logins then just disable password SSH logins, add:<p><pre><code> ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no </code></pre> To your sshd config and then you don&#x27;t need to worry as much about if one of your accounts has a password of 1234.

Why not disable password logins completely, use PKI for all connections, and while we&#x27;re at it, restrict logins to known hosts?<p>Also, don&#x27;t use passwordless keys.<p>Then there&#x27;s moving sshd off of port 22 to provide some obscurity.<p>Yada yada yada... How many times will we have to go over this subject?

That&#x27;s amazing. I&#x27;ve got the same combination on my luggage!

Duh... honestly, what are you doing anywhere near Digital Ocean if you&#x27;d <i>ever</i> use 1234 as a password?

Use key based authentication in SSHd and do away with password authentication scheme, well you should put password on your private key but that should cover just about every password cracking case.

Also, fail2ban is a useful thing in this instance. But if your password is 1234... what&#x27;s the deal with that?

You just reminded me I need to check my VPS, although I am not using a simple password :(<p>EDIT: It seems that leaving your VPS unattended for a month is a bad idea. I can&#x27;t login, because the server terminates the connection immediately and the passwords for the host&#x27;s backend is changed. Great!

How about a password like this? 1|2|3|4 or 1!2!3!4 — probably not nearly as guessable and more secure. But yes, not using 1234 as your default password for anything is sound advice that everyone should know.

This title is perfect for the 4chan thread.

The same happened to us when someone added a user &#x27;test123&#x27; with the password &#x27;test&#x27;, just to… test something locally, totally forgetting that it would also permit access via ssh.

sshdautoban is useful for preventing ssh brute force attacks - hosts.deny ban for any ip address with 5 failed connections in less than 15 secs

Alright, I&#x27;ll bite. Why did the attacker mine primecoin (rather than bitcoin, or any of a dozen other cryptocurrencies)?

You are very lucky that the hacker didnt&#x27; take precautionary steps to edit scripts&#x2F;hide their activities.

&gt;Why I stopped [perfectly fine activity]... and why you should too

I usually use &#x27;password&#x27; or &#x27;pa55w0rd&#x27; :)