I noticed that my linux machine at home with permanent connection to Internet
was getting a big number of ssh connection attempts. Of course it was
someone trying to gain control over my machine. I got curious on what
passwords where they trying, especially for the root account. After
some time of hacking OpenSSH I found out, with some surprise, that
when using password authentication on ssh the server actually gets the
password, not a hash of it as I would have expected (though it makes sense
since ssh is multy-plataform and every platform stores authentication tokens
in a different way). The cool thing about that is that I modified sshd
to log the password of the failed attempts!! (something you should not
do in general). The result was my collection of root passwords, a list of
all the passwords attempted in my machine during a couple of days.
Root password list
It is good to see classics like r00t and sex are in the list. By far my favorite is
"americaonline". Love the idea of someone installing linux and being prompted
for the root password and while thinking bumping into one of thouse junk AOL CD's.
