Microsoft's Remote Desktop Protocol is a handy method for signing in to and controlling remote PCs and servers, especially for hybrid workers. But RDP is also an inviting target for cybercriminals looking to gain access to an organization's network and other critical resources. That's why using a strong and complex password for remote desktop accounts is vital. Unfortunately, this is an area where many people and companies fall short.
Also: Hackers stole this engineer's 1Password database. Could it happen to you?
In a report released Tuesday, password security provider Specops revealed the top 10 most common passwords attackers use to exploit RDP connections. In total, more than 1 billion stolen passwords captured by cybercriminals in 2024 were included in the analysis. The results show that many people ignore standard best practices when creating passwords, even for important systems.
Organizations that monitor their RDP servers have found hundreds or even thousands of failed login attempts from hackers, bots, ransomware gangs, and more. Once they find an open and exposed RDP port, attackers use brute force to try a large number of username and password combinations to gain access. The simpler the password, the quicker the attacker can gain and exploit access.
To little or no surprise, 123456 was the most common password stolen by malicious attacks. This indicates that many people are still turning to "keyboard walks" -- passwords created by typing a string of adjacent keys on the keyboard.
In second place was 1234, presumably chosen by people who couldnt be bothered to add the 5 and 6. Next up was Password1, followed by 12345.
Also: How AI agents help hackers steal your confidential data - and what to do about it
In the fifth spot was P@sswOrd, suggesting that some people knew enough to add a special character, albeit to a still weak password. However, P@sswOrd may be popular because it meets the standard requirements of eight characters, one capital letter, one number, and one special character, according to Specops.
Rounding out the list were password, Password123, Welcome1, 12345678, and Aa123456. The addition of Welcome1 could signal that many employees are given such weak temporary passwords to start but arent forced to change them. Otherwise, most of the top 10 used either a string of common numbers or some variation of the word password.
To be secure, a password should include some combination of numbers, lowercase letters, uppercase letters, and special characters. But less than 8% of the passwords exploited by attackers contained at least one character from each of these four categories. Nearly half of them consisted of only numbers or lowercase letters. A complex password is essential because even a short one would have thwarted about 92% of the RDP port attacks.
Also: How a researcher with no malware-coding skills tricked AI into creating Chrome infostealers
However, the length of a password is just as important as its complexity. The most common password analyzed by Specops contained eight characters because that's usually the minimum length required by an organization's security policies. Any complex password with at least 15 characters becomes almost impossible to crack with brute-force techniques, Specops said. Less than 2% of the passwords used in RDP attacks had more than 12 characters.
With attackers exploiting RDP connections through weak passwords, what can you and your organization do to protect yourselves? Specops offers a few tips.
Get the morning's top stories in your inbox each day with our Tech Today newsletter.