Summary:
Specops, a security research community, recently investigated how hackers are trying to break FTP (File Transfer Protocol) servers using brute-force attacks. These are the kinds of attacks in which hackers try a huge number of substitute passwords in rapid succession to see if any of them will succeed. The researchers had taken a real-life attack spanning the period of a month and found that a majority of the attackers are continuing to try getting in with incredibly simple passwords.

The study focused on FTP servers through port 21 since this is the standard way such servers connect to the internet. The most common passwords among the attacks were "admin," "root," and "123456." Other passwords that hackers usually tried were also very easy, including "password," "admin123," or basic keyboard patterns like "qwerty." Such easy passwords allow attackers to easily access systems if people fail to change default settings or establish strong passwords.

The researchers found that more than half (54%) of the passwords were either in lowercase or numbers only, and almost 90% of the passwords ranged from 6 to 10 characters long. Strong passwords containing a mix of lowercase, uppercase letters, numbers, and special characters were utilized by a negligible percentage of attackers, 1.6%. What this suggests is that if companies made the passwords stronger and longer, they could prevent nearly all of these brute-force attacks.

They also compared FTP attacks to Remote Desktop Protocol (RDP) attacks. RDP is software that has tighter inherent security, so guessing passwords works less well for it. But FTP is a huge problem because it doesn't encrypt information, so hackers can steal documents or install malware with minimal effort.

Finally, Specops said companies need to come up with smarter password policies. They need to block the use of weak or common passwords and challenge people to devise long, hard-to-guess passphrases—like a sentence or a phrase with characters and numbers. That way, it's much harder for hackers to get in.

Security Officer Comments:
Seriously, it's sort of crazy that in 2025, humans are still using passwords such as "123456" and "admin" to secure things that are actually important, such as servers containing files. That's like securing your house with a doorknob that won't even click closed. Hackers aren't even going that hard, their plan is just to keep guessing the same terrible passwords over and over again, and sometimes they get in! It's like they're trying to catch fish with a big net, praying that no one closed their front door.

The good news is that this is very easy to fix. If businesses would just make their customers create longer and harder passwords (and maybe even prevent users from being able to use simple things like "password123"), a huge percentage of these attacks would fail. It's much like the way putting up a "beware of dog" sign can scare off burglars, even if you don't have one. Just making it appear that you have strong security can make attackers go elsewhere.

Suggested Corrections:
In order to be safe from these kinds of password attacks, especially on legacy platforms like FTP businesses and individuals need to do a couple of things:

Use Longer Passphrases: Instead of using a short word password, try using a complete sentence with mixed case letters, numbers, and special characters. A good example of that would be "MyD0gRunsFast!!EveryMorning" versus "123456."

Block the Worst Passwords: Use settings or tools that will block users from entering the worst passwords, like "admin," "qwerty," or "password." These are always the first ones used by hackers.

Disable Remote Access If Not Needed: If your FTP server does not need to be accessed through the internet, turn off remote access entirely. The fewer entrances you have open, the safer.

Replace FTP with Better Tools: FTP is outdated and doesn't have strong security built-in. If you can, use SFTP or another secure file transfer protocol instead.

Monitor for Strange Logins: Set up notifications that tell you if someone is trying to log in again and again. That can be a hint that a brute-force attack is taking place.

Keep Passwords Private and Secure: Don't ever share passwords with others, nor do you need to write them down for someone else to read. And never reuse the same password for more than one crucial account.

Use Password Managers: Such software can create and store secure passwords so you don't have to remember all of them.

Keep Systems Up to Date: Make sure your FTP software and any other programs are running with the most recent patches to avoid known vulnerabilities.

By taking these measures, organizations can make it that much harder for hackers to penetrate using weak passwords—and avoid trouble before it arises.

Link(s):
https://hackread.com/admin-123456-most-used-passwords-ftp-attacks/