Many network services have default administrator accounts that may retain their installation passwords. Attackers can exploit this by trying to log in with these default credentials, along with common and weak passwords. Here are examples of typical weak passwords, all ending with an exclamation mark to circumvent password policies:
Password |
Comment |
Summer2021! |
Many individuals, including company helpdesks, often reset passwords using the current season and year as the new password. |
W3schools123! |
Users frequently choose the company name as their password, often adding “123” and an exclamation mark at the end to meet password policy requirements and increase complexity slightly. |
Rosalynn2006! |
Users often select names of personal significance, such as their children’s names or their birth years, as their passwords. |
Qwerty123456! |
This password appears random but is actually created by someone pressing keys in sequence, followed by corresponding numbers. |
THC-Hydra is a tool that simplifies the process of configuring lists of usernames and passwords for testing against various services (https://github.com/vanhauser-thc/thc-hydra). It supports numerous protocols, including:
To target FTP using THC-Hydra, the following command can be executed:
hydra -L common_usernames.txt -P common_passwords.txt ftp://localhost/ |