I have two Filezilla server instances on different WAN connections, both mapping to the same /test directory on the file server.
To validate that clients have connectivity I have a read/list only test account (e.g. test) with a simple password that can be given verbally over the phone (e.g. pass). This saves a lot of hassle when on-boarding new clients, or debugging routing problems.
I have tended to disable the test account when not required, but this is somewhat of an inconvenience as it requires logging on to the server and can be required multiple times per week.
What, if any, risks would I be taking if I left the test account enabled with a weak or easy to guess password? Are there any known exploits that could be used to access or deny access to the server?
Note: The server is set to autoban IP addresses for 2 hours after 10 failed login attempts. Syslog monitoring on the firewall is also set to flag suspicious activity. This could be extended to banning naughty IPs at the perimeter.
EDIT: I mentioned FTP for expediency but the servers are actually set to require FTPS with unencrypted FTP disallowed.