[New research] 1.7 Billion Passwords Analyzed: “Strong” Passwords Leaked in Infostealer Attacks

Think your “strong” password is safe just because it’s long and full of symbols? Think again. New research from Specops shows that even passwords meeting common enterprise security standards are still ending up in attackers’ hands.

Between February and March 2026, Specops researchers analyzed over 1.7 billion credentials exposed in recent infostealer leaks and sampled a 100GB+ dataset of infostealer logs, including 100 million records from the actor known as Alien_Txtbase.

We focused on passwords that satisfy standard strong password requirements to demonstrate that compliance alone does not protect against infostealers. The dataset consists primarily of ULP records (URL:Login:Password), representing credentials stolen from browser password stores, desktop applications, and local files on compromised systems.

The results reveal a clear pattern: passwords that satisfy enterprise policies are still stolen directly from compromised devices. Whether generated by password managers or created by users, these credentials frequently appear in infostealer dumps and circulate across dark web markets and Telegram stores as part of the growing initial access market.

Continuously block 5 billion+ compromised passwords in your Active Directory

Over 430 million leaked passwords added

This month’s Breached Password Protection update adds over 430 million unique compromised passwords to the list used by Specops Password Policy, bringing the total up to over 5.8 billion.

We have also added over 4.4 million records to Specops Password Auditor, a free, read-only tool that scans Active Directory (AD) for compromised credentials and other password-related vulnerabilities. Run a scan today to receive a customizable report on breached passwords, identical credentials, and inactive accounts.

All newly discovered credentials are immediately incorporated into Specops Breached Password Protection, which continuously updates its database using threat intelligence sources and honeypots operated by Specops and our parent company Outpost24.

19% breached passwords were ‘strong’

The sampled data shows a mix of human-generated passwords and automated password manager strings. Approximately 19% of records present in the sample were longer than 8 characters, and contained mixed alphanumeric and special characters. Despite their strength, every password below was found in the recent breach cache.

Compliant but still breached passwords

Surprising password trends

One standout record, ThГ©oParet92, shows the use of symbols like the copyright sign. While these symbols may increase entropy and frustrate some cracking attempts, they offer zero protection once the password is exfiltrated by malware.

We are also seeing an increase in the use of emojis, such as Timeisoftheessence❤&💡. While emojis can create “surprise entropy” in cracking competitions, they are a double-edged sword. Many legacy systems cannot handle them, and they are still easily captured by infostealers that mirror the user’s actual input.

Why weak passwords are a problem

Problematic passwords, such as those identified in our analysis, put your organization at risk in a variety of ways, including:

Compliance and governance risks

As our analysis shows, passwords that technically meet policy requirements can still appear in breach datasets. For example, 2-nBhF9U6Vdv*6s meets many enterprise password policy requirements but was still found in the breach cache. If these credentials are reused or compromised through attacks such as credential stuffing or account takeover, organizations may face compliance and regulatory consequences under standards such as GDPR, HIPAA, and PCI DSS.

Exposure to automated cracking

Attackers use automated tools to carry out password cracking and brute-force attacks, testing large numbers of password combinations. Passwords that follow predictable human patterns, such as capitalizing the first letter, using lowercase characters in the middle, and ending with numbers or symbols like “!”, can often be guessed quickly by modern cracking tools. For example, a password such asShunaka25! follows this structure and may be prioritized by cracking dictionaries.

Increased risk of password reuse

When users reuse passwords across multiple services, a single breach can expose access to multiple systems. For example, if a password such as PhD@shababclub appears in breach datasets or infostealer logs, attackers may attempt to reuse those credentials across corporate services in credential stuffing attacks.

How to strengthen password security

Continuously block weak and compromised passwords

Don’t wait for a yearly audit to find vulnerabilities. You need to block compromised passwords at the point of creation so users cannot choose credentials that already exist in breach datasets. Because new breaches occur daily, the system must continuously scan your AD to detect and remediate accounts the moment their credentials appear in new infostealer logs or dark web dumps.

With Specops Password Policy and Breached Password Protection, organizations can prevent the use of weak passwords and block over 5.8 billion known compromised passwords. Passwords are not only checked when they are created but continuously scanned throughout their lifecycle in AD to detect when credentials appear in new breach datasets. Using an up-to-date breached password list makes it easy to comply with industry regulations such as NIST or NCSC.

Enforce smarter password policies

Standard compliance policies often lead to predictable human patterns, like adding a “!” to the end of a password. To truly harden identity security, you must prevent these predictable patterns when users create a new password by moving toward long, high-entropy passphrases.

Specops Password Policy allows you to move beyond basic character requirements by using custom dictionaries to block industry-specific terms, seasonal patterns, and common character substitutions, forcing users to create truly unique, secure credentials and adopt more secure passphrase-based policies.

Interested in seeing how this might work for your organization? Have questions on how you could adapt this to your needs?

Contact us or see how it works with a demo or free trial.