Microsoft's Remote Desktop Protocol is a handy method for signing in to and controlling remote PCs and servers, especially for hybrid workers. But RDP is also an inviting target for cybercriminals looking to gain access to an organization's network and other critical resources. That's why using a strong and complex password for remote desktop accounts is vital. Unfortunately, this is an area where many people and companies fall short.

Also: Hackers stole this engineer's 1Password database. Could it happen to you?

In a report released Tuesday, password security provider Specops revealed the top 10 most common passwords attackers use to exploit RDP connections. In total, more than 1 billion stolen passwords captured by cybercriminals in 2024 were included in the analysis. The results show that many people ignore standard best practices when creating passwords, even for important systems.

Organizations that monitor their RDP servers have found hundreds or even thousands of failed login attempts from hackers, bots, ransomware gangs, and more. Once they find an open and exposed RDP port, attackers use brute force to try a large number of username and password combinations to gain access. The simpler the password, the quicker the attacker can gain and exploit access.

Which passwords were the worst offenders?

To little or no surprise, 123456 was the most common password stolen by malicious attacks. This indicates that many people are still turning to "keyboard walks" -- passwords created by typing a string of adjacent keys on the keyboard.

In second place was 1234, presumably chosen by people who couldnt be bothered to add the 5 and 6. Next up was Password1, followed by 12345.

Also: How AI agents help hackers steal your confidential data - and what to do about it

In the fifth spot was P@sswOrd, suggesting that some people knew enough to add a special character, albeit to a still weak password. However, P@sswOrd may be popular because it meets the standard requirements of eight characters, one capital letter, one number, and one special character, according to Specops.

Rounding out the list were password, Password123, Welcome1, 12345678, and Aa123456. The addition of Welcome1 could signal that many employees are given such weak temporary passwords to start but arent forced to change them. Otherwise, most of the top 10 used either a string of common numbers or some variation of the word password.

What should a secure password contain?

To be secure, a password should include some combination of numbers, lowercase letters, uppercase letters, and special characters. But less than 8% of the passwords exploited by attackers contained at least one character from each of these four categories. Nearly half of them consisted of only numbers or lowercase letters. A complex password is essential because even a short one would have thwarted about 92% of the RDP port attacks.

Also: How a researcher with no malware-coding skills tricked AI into creating Chrome infostealers

However, the length of a password is just as important as its complexity. The most common password analyzed by Specops contained eight characters because that's usually the minimum length required by an organization's security policies. Any complex password with at least 15 characters becomes almost impossible to crack with brute-force techniques, Specops said. Less than 2% of the passwords used in RDP attacks had more than 12 characters.

How to protect yourself

With attackers exploiting RDP connections through weak passwords, what can you and your organization do to protect yourselves? Specops offers a few tips.

1. Enforce a strong password policy where employees are prompted to create complex passwords or long passphrases. With passphrases longer than 15 characters, users would have been protected against 98% of the passwords analyzed by Specops.
2. Limit the range of IP addresses that can use RDP connections. This should help prevent attackers from outside your network from gaining access through RDP.
3. Block the use of weak and compromised passwords through Active Directory policies. Specops offers a free read-only audit tool that scans your Active Directory environment for password-related vulnerabilities.
4. Check for misconfigured and vulnerable ports. Ensure that TCP port 3389 is using an SSL connection and isn't exposed to the internet.
5. Use spam-resistant multi-factor authentication for RDP connections to add an extra layer of protection. Even if a password is breached, the attacker would need to provide that second form of authentication to gain access.
6. Keep your Windows clients and servers patched and up to date to protect them against critical security vulnerabilities.

Get the morning's top stories in your inbox each day with our Tech Today newsletter.

Security

How AI agents help hackers steal your confidential data - and what to do about it

This new tool lets you see how much of your data is exposed online - and it's free

How a researcher with no malware-coding skills tricked AI into creating Chrome infostealers

That weird CAPTCHA could be a malware trap - here's how to protect yourself

• How AI agents help hackers steal your confidential data - and what to do about it
• This new tool lets you see how much of your data is exposed online - and it's free
• How a researcher with no malware-coding skills tricked AI into creating Chrome infostealers
• That weird CAPTCHA could be a malware trap - here's how to protect yourself