: Curated by Daniel Miessler on GitHub , this is the definitive list for testing default vendor credentials . It includes common pairings like admin:admin , ftp:ftp , and specific device defaults for hardware like routers and PLC controllers.
When testing over the network, too many requests can lead to IP bans. Rate-limit your tools. Ethical Considerations and Legal Warning
If you are aiming to perform a security audit on your infrastructure, I can provide you with more tailored information.
Attempt 1: HydroOneAdmin β Access Denied. Attempt 2: Fallback#1 β Access Denied.
Whether you need a custom to generate localized wordlists The testing tool you plan to use (e.g., Hydra, Nmap) ftp password wordlist high quality
hydra -L users.txt -P ftp_passwords.txt ftp://192.168.1.100
Medusa is another highly modular, parallel login verification tool preferred by some auditors for its stability over certain network configurations:
hydra -L ftp_usernames.txt -P high_quality_passwords.txt ftp://192.168.1.50 -V -t 4 Use code with caution. -L : Specifies the path to the target username list. -P : Specifies your high-quality password wordlist.
Ensure anonymous logins are turned off [PerQueryResult 0.5.5]. : Curated by Daniel Miessler on GitHub ,
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Canβt copy the link right now. Try again later.
: Includes human-language lists and unique word sets for password recovery tools like John the Ripper .
For a quick, non-intrusive check during network sweeps, Nmap includes a built-in scripting engine (NSE) capable of running targeted FTP brute-force attacks.
: Often preferred over RockYou for modern assessments, this list contains 10 million passwords from more recent leaks (post-2011), including newer cultural terms like "Minecraft" that older lists lack. Rate-limit your tools
Sometimes, the best wordlist is one you create yourself based on the target. is a tool that crawls a target's website and generates a wordlist based on the content, which can be highly effective for guessing customized FTP credentials. Best Practices for Using FTP Wordlists
While older, this list remains highly effective for identifying weak, human-generated passwords due to its origin from a massive real-world breach.
Attackers frequently target port 21 (FTP) using these highly predictable combinations:
| Flag | Function | Advice | | :--- | :--- | :--- | | -l | Single username | Use for known or default usernames (e.g., admin, root, ftpuser) | | -L | Username list file | Use when usernames are unknown but a file exists | | -P | Password list file | Use your high-quality wordlist | | -t | Number of threads | Stay low (4-8) for SSH, but 16+ is safe for FTP and HTTP | | -f | Stop on first find | Saves time after credentials are discovered | | -V | Verbose output | Shows every login attempt in real time |
While custom lists are ideal, several industry-standard repositories serve as the perfect baseline for security professionals.