Highlights

123456

was the most common compromised password found in KrakenLab’s new list of breached cloud application credentials

31.1 million

analyzed breached passwords were over 16 characters in length – showing longer passwords aren’t safe from being breached

Only 50%

of organizations scan for compromised passwords more than once a month

About the data

Data in this report comes from the sources detailed below – some has been previously published throughout the year while some is brand new. We’ll make it clear which pieces of information come from which source as you read through: 

  • The Outpost24 (Specops Software’s parent company) threat intelligence team, KrakenLabs, carried out two pieces of research detailed in this report:
    1. Analyzed more than two million business application credentials hacked by malware to find some of the most commonly breached passwords. Published for this first time in this report
    2. Analyzed 1.8 million administrator credentials collected between January and September 2023 
  • Specops surveyed 151 cybersecurity professionals at the 2023 International Cyber Expo event. Participants were asked a set of in-person questions about their organization’s password security – these responses are detailed in this report for the first time. All respondents and their respective organizations remained anonymous  
  • Over the past year, Specops researchers have run several pieces of analysis on a pool of over 800 million breached passwords. This is a subset of our larger Breached Password Protection database of over 4 billion breached passwords  

Learn More About the Data

darren james

Darren James
Senior Product Manager, Specops Software

2024: Year of the secure password? 

After decades of end user training, passwords are still a problem for IT teams and a weak point in many organization’s cybersecurity strategies. A huge amount of cybercrime still focuses on passwords: stealing credentials, selling them on, and using them as an initial access point for breaching organizations. Verizon estimates stolen credentials are involved in nearly half (44.7%) of all data breaches, and we know there’s a thriving underground marketplace for stolen data and credentials.  

Despite this, passwords aren’t going anywhere. We surveyed 151 cybersecurity professionals at the 2023 International Cyber Expo event and found that only 12% of organizations have moved away from using passwords as their primary method of authentication. Getting rid of passwords entirely is simply not feasible for most organizations – so how can we make them work better?  

Throughout 2023, our research team regularly analyzed breached password data and live attacks to share their findings and showcase the importance of password security and potential vulnerabilities posed by weak or compromised passwords. This report brings the highlights of that research together along with some previously unpublished findings. The aim is to give organizations a deeper understanding of the patterns and trends relating to breached passwords, as well as sharing advice on how to tighten up their access security. 

We’ll explore how weak and compromised passwords offer potential attack routes into organizations, why a strong password policy isn’t enough on its own, and explore some of the password mistakes you might not know your end users are making. You’ll also get access to a free Active Directory auditing tool and practical advice from our years of password security expertise that can be implemented straight away.  

Make 2024 the year of the secure password!  

Download the Report

Are weak passwords hiding in your AD?

Run a free audit today to start your journey towards better password security. Specops Password Auditor is a free tool that can identify multiple types of password-related vulnerability in minutes. Carry out a read-only check of your Active Directory against almost 1 billion compromised passwords and analyze your domain password policies and fine-grained password policies.

Download the report now!

Please fill in your information to download the report. All fields are mandatory.


Frequently Asked Questions


A weak password is short, common, and predictable (uses keyboard patterns, or leetspeak). A password that is reused across multiple accounts, or one that appears on a breached password list, is also weak.

Active Directory does not check for weak or breached passwords out-of-the-box. With some configuration, Administrators can check Active Directory passwords against the Have I been Pwned password list.

A strong password is longunique, and hard-to-guess. A strong password can still be vulnerable if it is leaked or stolen. Password should be regularly checked against a list of known passwords, and changed on indication of compromise.

With a third-party tool like Specops Password Policy, system admins can enforce password length, passphrases, and complexity, while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters. Admins can also enforce compliance requirements by blocking the use of known or compromised passwords.

Previous Annual

Password Reports:

2023

2022