It seems that hackers can’t be bothered with targeting credentials that are long or contain complex characters. While it has been known for ages that mixing numbers and letters together makes it difficult for hackers, most “secure” password systems don’t let you get away with “letters only” passwords. So a password like “thehillsarealivewiththesoundofmusic” would be ignored by a hacker as too hard but would be considered less secure than “pArsew0rd” by most security systems.
The report penned by Ross Bevington, a security researcher at Microsoft said that after looking at a million brute force attacks against SSH made up of 30 days of data in Microsoft's sensor network 77 percent of attempts used a password between one and seven characters. A password over ten characters was only seen in six percent of cases", said Bevington.
Bevington has the relatively cool tile of being Head of Deception at Microsoft which sounds like it should have a pretty broad remit. However, amongst his many deceptive roles are creating legitimate-looking honeypot systems to study attacker trends.