If you do a search, you can find blogs reporting what usernames and passwords the attack is targeting.
If you do a search and don't word your query exactly right, you will instead find loads of useful and informative discussions on how to change, recover or reset a forgotten password via assorted ventures into the sql database.
For a given definition of "change", "recover" etc. anyway.
Don't some people deal with crawler authorization issues by using the "Satisfy any" construct, meaning that a visitor has to either log in or be the Googlebot?