Most Common Brute-Force Usernames

Which usernames do attackers actually try? Search 77,737+ usernames from real SSH, FTP, and Telnet brute-force attacks — captured live by our honeypot sensor network.

username

Enter a username to check

Unique Usernames

77,737

Total Sessions

6,884,055

Top Protocol

SSH

Protocols Monitored

Top Usernames Hackers Try in Brute-Force Attacks

#	Username	Sessions	Protocols	Last Seen
1	root	1,866,726	sshtelnetmysqlftppostgressmbhttpsmtpmongodbsip	2026-03-03
2	admin	589,810	sshtelnetmysqlftphttpsmbmongodbpostgressmtpsip

All Top Attacked Usernames

root — 1,866,726 sessions

admin — 589,810 sessions

345gs5662d34 — 344,625 sessions

ubuntu — 295,053 sessions

sol — 294,410 sessions

solana — 234,146 sessions

postgres — 181,973 sessions

user — 179,566 sessions

test — 150,010 sessions

oracle — 115,738 sessions

solv — 85,065 sessions

guest — 83,393 sessions

centos — 57,252 sessions

support — 51,280 sessions

mysql — 50,953 sessions

0 — 49,184 sessions

debian — 42,084 sessions

git — 35,737 sessions

hadoop — 35,242 sessions

pi — 30,863 sessions

backup — 30,606 sessions

administrator — 29,851 sessions

validator — 28,997 sessions

ubnt — 27,711 sessions

default — 25,851 sessions

ftp — 22,496 sessions

node — 19,997 sessions

operator — 19,383 sessions

docker — 18,453 sessions

www — 18,157 sessions

daemon — 17,674 sessions

dspace — 16,702 sessions

dev — 16,186 sessions

sa — 16,066 sessions

developer — 15,802 sessions

es — 15,459 sessions

zabbix — 15,391 sessions

ftpuser — 15,310 sessions

nginx — 14,850 sessions

nobody — 14,642 sessions

config — 14,300 sessions

ec2-user — 14,160 sessions

apache — 14,150 sessions

[email protected] — 13,985 sessions

[email protected] — 13,977 sessions

anonymous — 13,501 sessions

unknown — 13,459 sessions

blank — 13,418 sessions

supervisor — 13,009 sessions

firedancer — 12,783 sessions

100 — 12,771 sessions

elastic — 12,722 sessions

lighthouse — 11,392 sessions

ansible — 10,057 sessions

raydium — 9,939 sessions

test1 — 9,601 sessions

admingpon — 9,506 sessions

odoo — 9,238 sessions

tomcat — 9,211 sessions

newuser — 9,071 sessions

jenkins — 8,408 sessions

slv — 8,350 sessions

ethereum — 8,106 sessions

nagios — 8,054 sessions

ftptest — 7,666 sessions

trader — 7,591 sessions

trading — 7,317 sessions

deploy — 7,272 sessions

mapr — 6,762 sessions

a — 6,672 sessions

elasticsearch — 6,514 sessions

server — 6,274 sessions

jibs — 6,126 sessions

3d — 6,120 sessions

master — 6,060 sessions

weblogic — 5,922 sessions

gerrit — 5,892 sessions

ps — 5,784 sessions

www-data — 5,596 sessions

minima — 5,521 sessions

bot — 5,407 sessions

latitude — 5,297 sessions

n8n — 5,214 sessions

solnode — 4,936 sessions

system — 4,851 sessions

testuser — 4,721 sessions

1001 — 4,693 sessions

jito — 4,339 sessions

webapp — 4,313 sessions

claude — 4,312 sessions

user1 — 4,170 sessions

cexuser — 4,167 sessions

cexadmin — 4,162 sessions

ops — 4,161 sessions

1000 — 4,090 sessions

opadmin — 4,060 sessions

psadmin — 4,047 sessions

super — 4,045 sessions

operation — 4,042 sessions

svn — 3,868 sessions

Most Common Brute-Force Usernames

Top Usernames Hackers Try in Brute-Force Attacks

Usernames by Protocol — SSH, FTP, Telnet & More

How We Collect Brute-Force Username Data

All Top Attacked Usernames