800M credentials analyzed: Which breached holiday passwords made the naughty list?

With the holiday season rapidly approaching, we wanted to find out how many people previously used this time of year as inspiration for passwords that ended up breached. We analyzed 800 million compromised passwords and found the numbers tell a clear story – hundreds of thousands of end users have picked memorable, festive passwords that ended up on breached lists.

This research reveals how seasonal thinking creates security blind spots. We’ll break down what we found, why holiday passwords are so common, and what IT teams can do about it without becoming the Grinch. This research coincides with the latest addition of over 203 million new, unique compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of breached password lists, our honeypot network, and threat intelligence sources.

What 800 million passwords revealed about holiday security

We found roughly 750,000 instances of holiday-related passwords in our dataset of 800 million. This total includes common character substitutions and variations like “Chr1stm@s” or S@nt@. The data confirms what IT teams already suspect: users gravitate toward memorable passwords, and nothing is more memorable than the holidays. Unfortunately, memorable for users means predictable for attackers.

How many of your end-users are using a compromised password in AD?

End users aren’t lazy – they’re overwhelmed. The average person has passwords for 168 accounts. When it’s time to update credentials (especially after forced password resets), they reach for what’s memorable. And what’s more memorable than the holiday season happening right now? What’s interesting though, is that these breached passwords must have been created around Q4 of 2024 or earlier. So anyone doing the same thing this year in 2025, is probably creating a password that’s already being used in credential stuffing attacks.

The most popular holiday season passwords

• “Snow” dominated the dataset with 211,207 appearances, likely as it’s a short, simple word users can combine with years or other dates to meet policy requirements.
• “Noel” is the French word for Christmas, which followed with 101,277 instances (although it’s possible some people are using their name).
• “Santa” came in third with 95,222 occurrences.
• “Winter” appeared 66,643 times
• “Yule” hit 34,435 – surprisingly high for a less common term.
• “Xmas” and “Christmas” appeared roughly 35,000 times when combined.
• “November” appeared 30,989 times and “December” 26,849 times. These month-based passwords spike during year-end password reset cycles, creating predictable windows attackers exploit.

Why these passwords create risk

Modern cracking tools include dictionaries with hundreds of thousands of common words, including all the holiday terms we found. They automatically test millions of combinations per second: adding numbers, swapping letters for symbols, capitalizing first letters, appending years.

A password like “Chr1stm@s!” might seem secure to an end user because it has uppercase, lowercase, numbers, and symbols – and it might tick the boxes their organization requires. But it’s based on a common dictionary word, making it vulnerable. Attackers can crack it rapidly because their tools know to substitute “1” for “i” and “@” for “a.” Compare this to a 20+ character password made up of three totally random words. Even with modern computing power, brute-forcing longer passphrases takes exponentially longer. The math is simple: more possible combinations = more time required = better security.

Password reuse amplifies the risk – a breach at an unrelated service suddenly puts your end user’s Active Directory password at risk. The timing matters too. Holiday passwords tend to appear in Q4 and January during forced reset periods. Attackers know this and adjust their strategies accordingly, running targeted campaigns when these predictable patterns peak.

Find weak and compromised passwords in your network today 

This month’s update to the Breached Password Protection service includes the addition of just under 4.7 million compromised passwords to the list used by Specops Password Auditor. The list also includes the 800 million breached passwords we analyzed in this study. You can find how many of your end users’ passwords are either compromised or identical with a read-only scan of your Active Directory from Specops Password Auditor. You’ll get a free customizable report on password-related vulnerabilities, including weak policies, breached passwords, and stale/inactive accounts. Download your free auditing tool here. 

Continuously block weak passwords and compromised passwords

Specops Password Auditor offers a great starting point for assessing your current password risks, but it’s only a snapshot. With Specops Password Policy and Breached Password Protection, organizations can continuously protect themselves against over 4 billion known unique compromised passwords.

Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now. It also includes passwords found on breached password lists on the dark web and elsewhere. Breached Password Protection continuously scans your Active Directory for breached passwords and allows you to alert end users with customizable messaging that helps reduce calls to the service desk. Interested in seeing how this might work for your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.