A recent study by the Specops research team reveals that hackers continue to exploit weak passwords in attacks on Remote Desktop Protocol (RDP) ports. This report also adds over 85 million compromised passwords to Specops’ Breached Password Protection service, sourced from their honeypot network and threat intelligence.
What is RDP and Why Attack RDP Ports?
RDP is a Microsoft-developed protocol that allows users to connect to and control another computer over a network remotely. RDP ports are network ports used by the Remote Desktop Protocol to establish a connection between a client and a remote server or computer. By default, RDP uses port 3389 (TCP/UDP) for communication.
RDP ports are a common target for hackers because they’re widely used for remote access in businesses. Whether it’s for remote work, system maintenance, or troubleshooting, these ports provide an easy entry point, making them a favourite for brute force and password-spraying attacks. It’s not uncommon to see countless failed login attempts from hackers trying to breach.
Key Findings from the Research
According to Specops’ research shared with Hackread.com ahead of publishing on Tuesday, March 18, 2025, here’s what they discovered:
Common Passwords in Use: The analysis determined that the most frequently attempted password was “123456,” followed by other basic choices such as “1234,” “Password1,” and even “P@ssw0rd.” A notable observation is the recurring use of “Welcome1,” pointing to the danger of temporary passwords assigned during employee onboarding that might never be updated.
Simple Number Combinations Dominate: Nearly 25% of the passwords used in these attacks consist solely of numbers. The study highlights that a notable portion of attempts, almost half, rely on either numbers or all lower-case letters.
Password Length and Complexity: Eight-character passwords are the most common, likely because many organizations set that length as the minimum requirement. Only about 1.35% of the attacked passwords exceeded 12 characters, indicating that longer passphrases could block nearly all of the attack attempts.
Expanded Breached Password List: Alongside these insights, Specops has added more than 85 million compromised passwords to its Breached Password Protection service. These figures come from data gathered through honeypot networks and threat intelligence sources, offering fresh insight into what hackers target.
Top 10 Passwords in RDP Attacks
The research team analyzed NTLMv2 hashes from their honeypot system, focusing on RDP-specific attacks. They managed to crack around 40% of these hashes, revealing the top ten passwords used in these attacks:
- 123456 – 355,088 occurrences
- 1234 – 309,812 occurrences
- Password1 – 271,381 occurrences
- 12345 – 259,222 occurrences
- P@ssw0rd – 254,065 occurrences
- password – 138,761 occurrences
- Password123 – 121,998 occurrences
- Welcome1 – 113,820 occurrences
- 12345678 – 86,682 occurrences
- Aa123456 – 69,058 occurrences
How to Protect Your RDP Ports
To protect your RDP ports from attacks, start by enabling Multi-Factor Authentication (MFA) so that even if a password is stolen, unauthorized access is blocked. Keeping your Windows servers and clients updated is crucial to patch security vulnerabilities that hackers exploit.
Additionally, ensure TCP port 3389 is secured with SSL encryption and not directly exposed to the internet. Another important step is to restrict RDP access to a specific range of trusted IP addresses, preventing unauthorized users from attempting to connect.
Simple Password = Security Disaster
The Specops report makes it clear that relying on simple passwords is a risk organizations can no longer afford. By switching to longer and more complex passwords companies can greatly reduce the impact of today’s RDP attacks.
Top/Featured Image by kalhh from Pixabay
