SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Network Security
#
MFA
#
Cybersecurity

Hackers target FTP servers with weak passwords, study finds

Today
Author image
By Jed Nykolle Harme, Editor

New research from Specops Software reveals the most commonly used passwords by hackers targeting FTP ports in brute force attacks against real networks over the past 30 days.

The Specops research team conducted an analysis using data collected from their honeypot systems and threat intelligence sources to identify prevalent trends in password attacks on FTP port 21. They also updated their Breached Password Protection service with over 133 million new compromised credentials.

FTP's TCP port 21 is frequently targeted by hackers employing brute force attacks, largely because many FTP servers are either outdated or poorly maintained and rely on basic authentication that transmits credentials in plain text.

According to the research, "Hackers often target FTP's TCP port 21 with brute force attacks because FTP servers can be a weak link in network security, especially when they're misconfigured or protected by weak credentials.

Many older or poorly maintained servers still use basic authentication, which transmits usernames and passwords in plain text, making them vulnerable to interception or automated guessing. This makes it a prime target for automated dictionary and brute-force tools that can try thousands of common credential pairs in minutes."

Brute force attacks consist of repeated attempts to access an account by systematically guessing login combinations. The report notes, "If account credentials are weak or unchanged from defaults, this method can be extremely effective. Once inside, attackers may steal sensitive files, upload malicious content, or use the compromised server as a launching pad for further attacks."

The inherent limitations of FTP's security model contribute to its attractiveness as a target. The report continues, "Because FTP is a legacy protocol with limited built-in security, it's a prime target unless protected with strong passwords, access controls, and ideally replaced or secured with SFTP or FTPS."

Comparison with attacks on Remote Desktop Protocol (RDP) was also outlined. RDP, which operates on port 3389, features session encryption and supports account lockout policies or multi-factor authentication (MFA) to reduce successful brute force attempts.

The research states, "When attackers target FTP, they're usually after files (either stealing data or planting malicious payloads) and they'll focus on password spraying or exploiting anonymous logins. This means attackers have different methods to RDP intrusions, however, aim for a foothold inside the network: once you're 'on the desktop,' you can move laterally, install backdoors, or harvest additional credentials."

Distinct defensive priorities emerge for each protocol. "This means defenders need to monitor RDP for unusual logon patterns and patch known CVEs, while FTP defenses lean more heavily on strong password policies, port restrictions, and replacing FTP with more secure alternatives like SFTP or FTPS," the research states.

The analysis of passwords collected from FTP port attacks highlighted the most frequently used terms. The top ten passwords identified included "admin" (907 uses), "root" (896), "123456" (854), "password" (847), "admin123" (842), "123123" (834), "12345678" (814), "qwerty" (812), "abc123" (809), and "1234" (808).

The report explains, "'Admin' tops the list. Hackers know this is a common default password, often used by manufacturers or system administrators during initial setup, making it a readily available and easy-to-guess password. This widespread use, combined with users' tendency to neglect changing default passwords, contributes to its prevalence."

Passwords such as "root" remain frequent choices due to their association with administrator accounts in Linux and Unix-like systems. Attackers also continue to attempt other simple and widely used passwords like "123456" or "qwerty," suggesting that many users and organisations still permit weak credential choices.

The report notes, "The fact attackers still bother to try these simple, easy-to-guess passwords tells us that plenty of end users still choose them – and their organizations aren't blocking weak password choices."

Evaluation of password complexity showed that 54% of the passwords observed used only numbers or lowercase characters, with just 1.6% containing all types of characters—numbers, upper and lowercase letters, and special characters. Specops comments, "So, a password policy enforcing one type of each character would protect your organization against almost 99% of the passwords hackers are using."

Analysis of password length revealed that the majority were between 6 and 10 characters. Specifically, 25.53% of the passwords were six characters long, 16.46% eight characters, and 12.96% nine characters, with 87.4% of all passwords in the 6–10 character range. The latest NIST guidance, referenced by Specops, encourages longer passwords over greater complexity for stronger security.

Specops underscores the risk present in many organisations, "Most of the passwords being used in these FTP port attacks would be described as weak. They're either short, lack complexity, or use common temporary passwords like 'admin' or 'root'.

A good third-party solution can block end users from choosing weak Active Directory passwords (which are often reused as FTP server passwords). Enforcing a strong password policy where users are encouraged to create passphrases over 15 characters long (with at least some complexity) would offer protection against the vast majority of passwords we found in this analysis."

The company outlines a password best practices checklist, suggesting the use of MFA, blocking weak and compromised passwords, requiring long and complex passphrases, disabling default and anonymous logins, limiting login attempts, enforcing regular password changes, and removing unused accounts.

"Enabling push-spam resistant MFA adds a layer of protection, even if the password was to be breached. For example, Specops Secure Access can harden connections with a second factor to better secure access Block the use of weak and compromised passwords in your Active Directory Administrators should require long passphrases for all accounts, combining uppercase and lowercase letters, numbers, and special characters. Passphrases are easier for end users to remember Disable default and anonymous logins Limit login attempts to block brute force tools Enforce regular password updates Remove or disable unused FTP accounts." Specops advises,

Specops' research team receives daily updates via attack monitoring systems and threat intelligence, which they use to bolster their password protection services. The company's latest Breached Password Protection update included over 5 million new compromised passwords and now protects against over 4 billion unique compromised credentials.

The service scans Active Directory environments and enables organisations to alert end users about breached passwords with custom messages.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Entrust unveils unified cryptographic platform for modern security
Delinea enhances cloud identity platform to secure AI at scale
CyberArk named leader in secrets management by KuppingerCole
Why is ransomware still a thing in 2025?
Commvault & Deloitte unite to boost hybrid cloud cyber defence
Top stories
Entercard adopts FICO to boost fraud detection in Nordics
Andy Frain notifies 100,000 after major ransomware breach
UKI IT leaders see AI threats outpacing cloud risks
Ransomware surge sees hackers demand up to USD $8.6 million
Proofpoint unveils AI-powered governance tools for compliance