Highlights
123456, 123456789, and 12345678
were the top 3 most compromised passwords
LummaC2
led credential theft with 60+ million stolen credentials
Eight-character passwords
were the most commonly stolen with 1.1 billion passwords compromised
About the data
The data in this report comes from the threat intelligence team at Outpost24, Specops Software’s parent company. In total, over six billion stolen passwords were captured and analyzed over a 12-month period between January and December 2025.
The dataset is derived from infostealer malware logs, credential aggregation sources, and underground marketplaces. While the data reflects activity observed during 2025, the patterns identified represent sustained attacker behavior rather than short-term or seasonal anomalies.
Darren James
Senior Product Manager, Specops Software
Why malware-stolen credentials should concern every organisation
“Despite years of awareness training and increasingly complex password policies, attackers are still encountering the same weak and predictable credentials across systems. This isn’t just a volume problem, it’s evidence that static password controls don’t reflect how credentials are actually stolen, reused, and operationalized today. Password strength comes from length, often achieved through the use of passphrases, paired with continuous checks for compromised passwords, not from complexity alone.”
Are weak passwords hiding in your AD?
Run a free audit to understand your password exposure.
Specops Password Auditor is a free, read-only tool that identifies multiple password-related risks in minutes. It scans your Active Directory against over a billion known compromised passwords, while also analyzing domain and fine-grained password policies.
- No installation required
- Gain immediate visibility into credential risk
- Receive an easy-to-understand report
Download the report now!
Please fill in your information to download the report. All fields are mandatory.
Frequently Asked Questions
What makes a password weak?
A weak password is short, common, and predictable (uses keyboard patterns, or leetspeak). A password that is reused across multiple accounts, or one that appears on a breached password list, is also weak.
Does Active Directory detect weak or breached passwords?
Active Directory does not check for weak or breached passwords out-of-the-box. With some configuration, Administrators can check Active Directory passwords against the Have I been Pwned password list.
What makes a password strong?
A strong password is long, unique, and hard-to-guess. A strong password can still be vulnerable if it is leaked or stolen. Password should be regularly checked against a list of known passwords, and changed on indication of compromise.
How can strong passwords be enforced in Active Directory?
With a third-party tool like Specops Password Policy, system admins can enforce password length, passphrases, and complexity, while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters. Admins can also enforce compliance requirements by blocking the use of known or compromised passwords like the most common passwords 2025.
Previous Annual
Password Reports: