The Romantic Passwords Cybercriminals Love to Use

Every year, the Specops breached password report delivers interesting insights into how passwords are created, and how attackers exploit those patterns. Users still rely on familiar words, names, places and cultural references when creating passwords. A surprising trend we’ve found is that familiarity extends to Valentine’s Day and romantic passwords.

Last year, we looked into love-related passwords to see how people used romantic language in their credentials. Recent analysis of Specops’ updated breached password database shows how common love-themed password habits remain. The word “love” appears 4,713,018 times, while “ilya” appears 233,702 times, showing that emotionally driven password choices remain widespread across breached datasets.

Our data indicates that romance in pop culture influences password creation. Terms from classic literature, such as Wuthering Heights, and titles from romance-themed TV shows, like Heated Rivalry, frequently appear. This suggests that many users choose passwords based on beloved characters, themes, and fandom references.

Top 5 romance pop-culture breached passwords

1. ilya – 233,702
2. shane – 105,429 
3. hockey – 67,658 
4. boston – 34,886 
5. catherine – 25,143 

Names like Hollander, Rozanov, and Heathcliff, who are prominent romantic figures, also show up, indicating that character-based passwords are less unique than often assumed. Additionally, frequently used words like “beauty,” “beautiful,” and “roses” highlight how users tend to rely on predictable romance themes.

Top romantic and Valentine-adjacent terms

1. beauty – 62190
2. beautiful – 52649
3. roses – 47232
4. flowers – 28899
5. romance – 19765
6. valentine – 14666

Are compromised passwords lurking in your AD? Audit your AD with our free tool!

Why are predictable passwords a problem?

Predictable passwords are a problem because they are easier to breach in attacks like offline password cracking. When users create romantic passwords based on love, names, pop culture, or seasonal events, they reduce the number of guesses an attacker needs.

Threat actors rely on pre-built wordlists that reflect common password habits. These lists are updated using breached credential datasets, leaked password dumps, and open-source intelligence (OSINT) from social media. Once a password appears in breach data, it should be considered permanently compromised. Attackers often store and reuse these breached passwords over time.

Credential stuffing: Credential stuffing uses leaked username and password pairs to attempt logins across other websites and services. If a user has reused passwords across multiple accounts, one breach can lead to unauthorized access elsewhere.

This method is effective because attackers do not need to crack passwords. They only need to reuse credentials that already work. A successful login can lead to mailbox access, internal phishing, privilege escalation, lateral movement, and ransomware deployment.

That’s why it’s so important to implement a breached corpus that limits the time an attacker has to abuse those credentials. A strong MFA solution also helps, but does not remove the risk to accounts. Attacks like MFA bombing (also known as MFA fatigue) can be leveraged to bypass the protection that MFA provides.

Password spraying: Password spraying involves trying a small set of common passwords across a large number of accounts. This approach avoids account lockout controls and reduces detection. Seasonal events and cultural trends make spraying more effective. Attackers know users incorporate themes such as “love,” “valentine,” and “roses” into passwords and they often update their wordlists to match these patterns, then test them across entire directories.

Password spraying remains effective because many romance-inspired credentials still meet complexity requirements. A string can look complex while still following predictable patterns. For example, “Valentine12@” exceeds Active Directory complexity requirements but is still easy to crack.

How to reduce the risk of compromised passwords

Security teams can’t rely solely on awareness training to combat weak password habits. Users will continue to choose familiar words, names, and cultural references because they are easy to remember. The most effective approach is to enforce technical controls that prevent compromised and predictable passwords from being used in Active Directory.

Use continuous breached password screening: A password that is safe today may not be safe tomorrow. Threat actors constantly update their credential lists, which is why organizations should treat breached password protection as an ongoing control, not a one-time check during password creation. Specops Password Policy‘s breached password protection featurecontinuously scans Active Directory environments against a database of over 5.5 billion unique compromised passwords, helping organizations prevent users from setting credentials that already exist in attacker wordlists.

Enforce stronger password requirements beyond native Active Directory controls: Native Active Directory password policies enforce basic complexity rules, but they often fall short when organizations need more granular controls. Specops Password Policy enables you to enforce granular password policies through Group Policy, including custom dictionaries, banned password lists, and stronger rules that go beyond Microsoft’s native controls, helping security teams reduce predictable password creation.

Strengthen identity security without creating user friction: If password requirements are too frustrating, users look for workarounds like like reusing passwords or storing them insecurely. Strong controls need to be enforced in a way that reduces reliance on user judgment and avoids unnecessary helpdesk burden. Tools like Specops Password Policy centralize password policy management and automate enforcement, allowing organizations to strengthen credential hygiene while delivering a smooth experience for end users. Specops uReset enables self-service password resets and account unlocks, helping organizations strengthen password hygiene while keeping productivity high.

Add layers of multi-factor authentication: For organizations moving toward zero trust, password controls should be paired with stronger login verification and device-level enforcement. Specops Secure Access strengthens authentication by adding adaptive MFA verification at the point of login, helping reduce the risk that stolen credentials alone can be used to access corporate systems. Specops’ zero trust access solution, Specops Device Trust, verifies both the user and their device at every access point, continuously checks device posture throughout each session, and enforces device-based access control through user-device binding. This helps block account takeover attempts, even when attackers have valid credentials.

To learn how Specops helps organizations reduce the risk of stolen and predictable passwords, strengthen authentication, and enforce zero trust access with continuous device verification, speak to one of our experts today.