Ixia has released a report detailing the biggest security breaches of last year and suggestions on how to avoid them in the future.

The Calabasas network software company’s first security report recounts 2016’s biggest online security breaches, starting with a BlackEnergy malware attack on Ukraine’s power grid in January, followed by a rash of ransomware demands in March. Later came the Bangladesh banking attack, in which hackers stole $80 million; the billion-account hack of Yahoo; and the still-under-investigation hacking of U.S. elections.

The report found that many attacks begin with the unsophisticated method of trial and error.

“Gaining access to accounts is often done the old-fashioned way — brute force guessing starting with the obvious. It is shocking how many network accounts and devices contain default usernames and passwords,” the report stated.

The most popular username guesses by hackers included “admin,” “root,” and “user.” The most popular passwords included “123456,” “admin” and “password.”

Ixia is in the process of an acquisition by Keysight Technologies for $1.6 billion.

Shares of Ixia closed down 3 cents, or a fraction of a percent, at $19.55 on the Nasdaq.