‘Admin’ and ‘123456’ Still Among Most Used Passwords in FTP Attacks

Weak passwords continue to be a major vulnerability for FTP servers. Specops’ latest report highlights the most frequent passwords used in attacks and offers advice on better password policies.

Cybersecurity researchers at Specops have recently analysed the passwords being used by cyber attackers to try and break into FTP (File Transfer Protocol) servers over the past month. Their research, shared with Hackread.com, reveals that attackers continue to heavily rely on easily guessable passwords, despite the availability of more sophisticated hacking techniques, highlighting the need for stronger password policies to protect networks.

The Specops team researched live attacks happening against real networks and identified the most frequent passwords used in these brute-force attempts, which refer to repeatedly trying different combinations of usernames/passwords to find the correct one. This research was done around the same time that Specops added over 133 million compromised passwords to their “Breached Password Protection” service.

The study examined attacks targeting FTP’s TCP port 21, a common entry point due to its often weak security. The top three most frequently used passwords were “admin” (used 907 times), “root” (896 times), and “123456” (854 times). Other frequently tried passwords included simple ones like “password,” “admin123,” and keyboard patterns like “qwerty.” This highlights a persistent failure by many users to change default credentials or choose strong passwords.

A significant finding was the simplicity of the passwords: 54% of the attempted passwords contained only numbers or lowercase letters, while a mere 1.6% used a combination of uppercase, lowercase, numbers, and special characters.

This shows that a password policy requiring at least one of each of these character types would block almost 99% of the passwords hackers are currently using against FTP servers.

Finally, researchers examined the length of the passwords used in attacks and identified that a majority, 87.4%, were between 6 and 10 characters long. This supports the latest recommendations from NIST (National Institute of Standards and Technology), which suggest prioritizing longer passwords or passphrases (over 15 characters) with some complexity, as these are much harder to crack through brute force.

They also contrasted these FTP attacks with those targeting RDP (Remote Desktop Protocol) port 3389, noting that RDP’s encryption and security features make simple password guessing less effective. FTP, often transmitting credentials unencrypted, hence remains a prime target for attackers aiming to steal files or plant malicious software.

Marcus White from the Specops team explained that knowing the passwords attackers are using can help organizations create better password rules and defend against these brute-force attacks.

In conclusion, the Specops team recommends that organizations should enforce policies that block weak password choices and encourage the use of passphrases longer than 15 characters with some complexity.