[New research] FTP ports under attack: Which passwords are hackers using?

The Specops research team has analyzed passwords being used to attack FTP ports over the past 30 days, in live attacks happening against real networks. Our team have found the most common passwords being used in brute force attacks, as well as the frequencies of password lengths and complexities. Knowing the tactics real-world attackers are using can help you shape your organization’s password policy and defend against brute-force attacks.

This research coincides with the latest addition of over 133 million compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of our honeypot network and threat intelligence sources.

Why do hackers target the FTP port with brute force attacks?

Hackers often target FTP’s TCP port 21 with brute force attacks because FTP servers can be a weak link in network security, especially when they’re misconfigured or protected by weak credentials. Many older or poorly maintained servers still use basic authentication, which transmits usernames and passwords in plain text, making them vulnerable to interception or automated guessing. This makes it a prime target for automated dictionary and brute-force tools that can try thousands of common credential pairs in minutes.

Brute force attacks involve repeatedly trying different username and password combinations until access is gained. If account credentials are weak or unchanged from defaults, this method can be extremely effective. Once inside, attackers may steal sensitive files, upload malicious content, or use the compromised server as a launching pad for further attacks. Because FTP is a legacy protocol with limited built-in security, it’s a prime target unless protected with strong passwords, access controls, and ideally replaced or secured with SFTP or FTPS.

Contrasting FTP and RDP port password attacks

We recently covered password attacks on the RDP (Remote Desktop Protocol) port 3389. RDP provides an interactive, encrypted session for full desktop access. While it also can be brute-forced, the handshake and encryption layers slow down automated login attempts, and effective account lockout policies or multi-factor authentication can further frustrate rapid password-guessing.

When attackers target FTP, they’re usually after files (either stealing data or planting malicious payloads) and they’ll focus on password spraying or exploiting anonymous logins. This means attackers have different methods to RDP intrusions, however, aim for a foothold inside the network: once you’re “on the desktop,” you can move laterally, install backdoors, or harvest additional credentials. As a result, RDP attacks often combine credential abuse with known-vulnerability exploits (like BlueKeep) or custom malware droppers, rather than pure password guessing.

This means defenders need to monitor RDP for unusual logon patterns and patch known CVEs, while FTP defenses lean more heavily on strong password policies, port restrictions, and replacing FTP with more secure alternatives like SFTP or FTPS.

Which passwords are being used in FTP port attacks?

Our research analyzed passwords collected from our honeypot system over the past 30 days. We’ve looked at the most common passwords being used in attacks and detailed their lengths and complexities to help inform your password policies.

Top ten passwords used to attack TCP port 21

As shown in the below table, “Admin” tops the list. Hackers know this is a common default password, often used by manufacturers or system administrators during initial setup, making it a readily available and easy-to-guess password. This widespread use, combined with users’ tendency to neglect changing default passwords, contributes to its prevalence. As other Specops research has shown, lots of end users will simply leave a new or temporary password in place if given the choice.

It’s also interesting to see “root” show up as second on the list. This is a common password choice in Linux and Unix-like systems, due to its association with the default administrator account and the ease of remembering it. It’s a default username in these systems, especially for SSH, and therefore a likely target for attackers who try common passwords. 

Other passwords on this list are common weak ones like “password” or keyboard walks like “123456” and “qwerty”. The fact attackers still bother to try these simple, easy-to-guess passwords tells us that plenty of end users still choose them – and their organizations aren’t blocking weak password choices.

Password	Times used by attackers in last 30 days
admin	907
root	896
123456	854
password	847
admin123	842
123123	834
12345678	814
qwerty	812
abc123	809
1234	808

Character set complexity

We’ve looked at the character sets that make up the passwords being used in FTP port attacks. The below table shows some selected combinations of the four types of password character end users can choose on a keyboard:

• Numbers
• Lower case letters
• Upper case letters
• Special characters

As shown in the table, many of the password being used by hackers are very simple – 54% of the passwords we observed in attacks contained only numbers or only lowercase characters. Only 1.6% contained all character types. So, a password policy enforcing one type of each character would protect your organization against almost 99% of the passwords hackers are using.

Character set	% of passwords used in FTP port attacks	Examples
Numbers only	29%	123456
Lower-case + number	28.5%	root2015
Lower-case only	24.9%	useruser
Lower-case + number + special character	8.5%	www-data1, p@55w0rd
Lower-case + special character	5.6%	user!
Upper case + lower case + number + special character	1.6%	P@ssw0rd!!
Upper case + lower case + number	0.9%	Admin2015
Upper case + lower case	0.6%	AdminAdmin
Upper case + lower case + special character	0.2%	Admin!
Special character only	0.1%	!@#$%^

Most common password lengths used in attacks

The latest NIST guidelines recommend prioritizing length over complexity. This is partly because a long passphrase is easier for end users to remember than a shorter password with lots of complexity. Long passwords (over 15 characters) with at least some complexity are highly resistant to brute-force attacks. Enforcing this kind of password policy would mean your Active Directory passwords are highly resistant to brute-force attacks. As shown below, 87.4% of the passwords used by hackers against FTP ports were between 6 to 10 characters.

Password length	% of passwords used in FTP attacks
6	25.53%
8	16.46%
9	12.96%
7	12.06%
4	9.82%
5	6.61%
10	3.95%
All other lengths	12.61%

Find weak and compromised passwords in your network today 

This month’s update to the Breached Password Protection service includes the addition of over 5 million compromised passwords to the list used by Specops Password Auditor. You can find how many of your end users’ passwords are either compromised or identical with a read-only scan of your Active Directory from Specops Password Auditor. You’ll get a free customizable report on password-related vulnerabilities, including weak policies, breached passwords, and stale/inactive accounts. Download your free auditing tool here. 

Securing FTP with strong password policies

One of the most effective ways to protect an FTP server from brute force attacks is by enforcing strong password policies. Since FTP commonly relies on username and password authentication (often transmitted without encryption) using weak or default credentials makes it an easy target for attackers.

Most of the passwords being used in these FTP port attacks would be described as weak. They’re either short, lack complexity, or use common temporary passwords like “admin” or “root”.  A good third-party solution can block end users from choosing weak Active Directory passwords (which are often reused as FTP server passwords). Enforcing a strong password policy where users are encouraged to create passphrases over 15 characters long (with at least some complexity) would offer protection against the vast majority of passwords we found in this analysis.

FTP password best practices checklist

• Enabling push-spam resistant MFA adds a layer of protection, even if the password was to be breached. For example, Specops Secure Access can harden connections with a second factor to better secure access
• Block the use of weak and compromised passwords in your Active Directory
• Administrators should require long passphrases for all accounts, combining uppercase and lowercase letters, numbers, and special characters. Passphrases are easier for end users to remember
• Disable default and anonymous logins
• Limit login attempts to block brute force tools
• Enforce regular password updates
• Remove or disable unused FTP accounts

Protect your organization against brute force attacks

Specops Password Auditor offers a great starting point for assessing your current password risks, but it’s only a snapshot. With Specops Password Policy and Breached Password Protection, organizations can continuously protect themselves against over 3 billion more known unique compromised passwords (4 billion in total). These include compromised passwords that could be considered ‘strong’ and have been stolen by malware.

Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now. It also includes passwords found on breached password lists on the dark web and elsewhere. Breached Password Protection continuously scans your Active Directory for breached passwords and allows you to alert end users with customizable messaging that helps reduce calls to the service desk.

Interested in seeing how this might work for your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.