Finding weak admin passwords before bad bots do

Bad bots make up 20% of all web traffic and are everywhere, at all times—they don’t take breaks, they don’t sleep, ever unwearying looking for the next website to invade. When it comes to the attractiveness of a website though, bad bots seem to have a type. Most of bad bots look for: proprietary content and/or pricing information, a login section, web forms, and payment processing, according to San Francisco based cybersecurity company Distil in their recently published report The 2017 Bad Bot Report.

Given that a good deal of e-commerce platforms meet most, if not all, of the above-mentioned types it didn’t come as a surprise to us to see an increase in the frequency of brute force password attacks on our hosted Magento webshops. In comparison to last year the number of attacks increased with more than 150%, resulting in a whopping 20.000+ malicious probes per hour on our Hypernode platforms.

Identifying weak passwords costly and time-consuming

Unfortunately these attacks can be successful and one of the reasons they are, is that there is still a large number of merchants who use weak (=easily guessable) passwords in their store backends. In the past we’ve written extensively about the measures you can take as a store owner to prevent yourself from becoming a victim of a brute force password probe attack. As for admins and agencies, identifying weak passwords can become a time-consuming and a costly process.
For instance you need dedicated hardware, GPU’s and a complex software setup that can take hours to set up. No more! Thanks to the aid of the Milky Way’s finest Magento security expert: Peter O’Callaghan, who has written an n98-magerun plugin to quickly find the most common weak passwords. And the best thing is: it’s already deployed on all of our Hypernodes! By providing this tool, we try to enable agencies to quickly find which of their customers use weak passwords, thus ultimately preventing costly security incidents. For example as an agency or admin that manages multiple stores you can run the tool easily on new (imported) stores to check for weak passwords. Integrating the tool in your workflow by using it for periodic checks on your production stores keeps your clients’ stores safe and consumer data protected. For all non-Hypernode customers, no worries, the tool is open source and you can find more information right here.