Request Free Consultation


How to Foil Brute Force Password Attacks

How to Foil Brute Force Password Attacks

WordPress administrators take note: According to Microsoft security researcher Ross Bevington, brute-force attackers focus primarily on guessing short passwords to gain entry into protected systems. He found that very few attacks involve access credentials comprised of long passwords, or passwords that use complex character combinations.

These conclusions are the result of analysis of data collected from Microsoft’s network of honeypot servers, which are configured to look like legitimate servers but are used solely to attract attacks and study trends. Bevington analyzed the credentials entered from over 25 million brute force attacks against these servers during a 30-day period. Among his findings:

  • 77% of hack attempts used a password between 1 and 7 characters
  • 39% of passwords had at least one number
  • 7% of brute-force attempts included a special character
  • 6% of cases involved passwords of over 10 characters
  • None of the brute-force attempts used passwords that included white space *

Bevington’s findings suggest that longer passwords that include special characters are better at thwarting the vast majority of brute-force attacks, as long as they haven’t been leaked online and are not part of an attacker’s brute-force dictionary.

Passwords to Avoid

In separate research, Panama-based Nordpass has published their annual analysis of password use across 50 countries. The Top 10 most common passwords currently in use – and ones to scrupulously avoid – are:

  • 123456 (103,170,552 hits)
  • 123456789 (46,027,530 hits)
  • 12345 (32,955,431 hits)
  • qwerty (22,317,280 hits)
  • password (20,958,297 hits)
  • 12345678 (14,745,771 hits)
  • 111111 (13,354,149 hits)
  • 123123 (10,244,398 hits)
  • 1234567890 (9,646,621 hits)
  • 1234567 (9,396,813 hits)

Among other findings, Nordpass researchers found that a number of people use their own name as their password. Other common passwords are related to popular music and sports. The use of cities/towns is also very common as is the use of swear words.

Lessons Learned

When WordPress administrators design passwords, it is advisable to use the built-in secure password generator when adding users or changing existing passwords. These passwords are complex combinations of at least 24 letters, numbers and symbols. For added security, Multi-Factor Authentication should be implemented for each user.

* The use of white space in passwords is not supported by WordPress.


Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.

Everything You Need. More Than You Expect.
703-407-4363  |


Skip to content