Highlights

83%

of compromised passwords satisfy the password length and complexity requirements of regulatory password standards

88%

of passwords used to attack RDP ports in live attacks are 12 characters or less

18.82%

of 4.6 million passwords used in live attacks to RDP ports contain only lowercase letters

About the Data

Poor password practices are putting businesses at risk. Data breaches continue to be a threat to all types of organizations across the globe, underscoring the importance of greater password security, as a means to protect our business data, as well as our digital ecosystem.

This year’s Weak Password Report highlights why passwords are still the weakest link in an organization’s network, and how stronger password policy enforcement can be your best defense.

The research in this report has been compiled through various methods, including:

  • Our analysis of 800 million breached passwords, a subset of the more than 3 billion unique compromised passwords within the Specops Breached Password Protection list.
  • Our analysis of passwords found in live attacks on our team’s honeypot network, another source for compromised passwords blocked by the Specops Breached Password Protection list.

Learn More About the Data

The Most Common Base Term used to Attack Networks Across Multiple Ports

The Specops research team looked at passwords being used to attack RDP ports in live attacks and analyzed a subset of over 4.6 million passwords collected over the span of several weeks.

We identified patterns in recent attacks and uncovered that more than 88% of passwords used in attacks were 12 characters or less. The most common password length found in this attack data was 8 characters at almost 24%.

Download Report to See Most Common Passwords

Rank

Password

1

password

2

admin

3

welcome

4

p@ssw0rd

5

qaz2wsx

6

homelesspa

7

p@ssword

8

qwertyuiop

9

q2w3e4r5t

10

q2w3e4r

Block Weak Passwords

Block the use of more than 3 billion compromised passwords including those found on known breached lists with Specops Password Policy with Breached Password Protection.

Frequently Asked Questions


A weak password is short, common, and predictable (uses keyboard patterns, or leetspeak). A password that is reused across multiple accounts, or one that appears on a breached password list, is also weak.

Active Directory does not check for weak or breached passwords out-of-the-box. With some configuration, Administrators can check Active Directory passwords against the Have I been Pwned password list.

A strong password is longunique, and hard-to-guess. A strong password can still be vulnerable if it is leaked or stolen. Password should be regularly checked against a list of known passwords, and changed on indication of compromise.

With a third-party tool like Specops Password Policy, system admins can enforce password length, passphrases, and complexity, while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters. Admins can also enforce compliance requirements by blocking the use of known or compromised passwords.

Previous Annual

Password Reports:

2022