Highlights
230 million
stolen passwords meet standard complexity requirements

123456, admin, and password
are the most commonly stolen passwords in 2024

Redline
was the most popular credential-stealing malware
About the data
Data in this report comes from KrakenLabs, the Threat Intelligence team at Outpost24 (Specops Software’s parent company). In total, 1,089,342,532 stolen passwords captured over a 12-month period were analyzed for this report. The data is accurate as of December 2024, however, we expect the overall trends and patterns to remain consistent. The most common password 2025 report also references other pieces of individual research carried out by the KrakenLabs teams throughout 2024.
Should we worry about malware-stolen credentials?
“The amount of passwords being stolen by malware should be a concern for organizations. Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware. In fact, we see many stolen passwords in this dataset exceeding the length and complexity requirements in common cybersecurity regulations.
“We also know password reuse is extremely common, so it’s possible end users are reusing work passwords on personal devices, applications, and websites with weak security which are more vulnerable to malware. It’s vital you have a way to check your Active Directory for compromised passwords that hackers could use also in 2025 as a relatively simple entry point into your organization.”
Are weak passwords hiding in your AD?
Run a free audit today to start your journey towards better password security. Specops Password Auditor is a free tool that can identify multiple types of password-related vulnerability in minutes. Carry out a read-only check of your Active Directory against almost 1 billion compromised passwords and analyze your domain password policies and fine-grained password policies.
Download the report now!
Please fill in your information to download the report. All fields are mandatory.
Frequently Asked Questions
A weak password is short, common, and predictable (uses keyboard patterns, or leetspeak). A password that is reused across multiple accounts, or one that appears on a breached password list, is also weak.
Active Directory does not check for weak or breached passwords out-of-the-box. With some configuration, Administrators can check Active Directory passwords against the Have I been Pwned password list.
A strong password is long, unique, and hard-to-guess. A strong password can still be vulnerable if it is leaked or stolen. Password should be regularly checked against a list of known passwords, and changed on indication of compromise.
With a third-party tool like Specops Password Policy, system admins can enforce password length, passphrases, and complexity, while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters. Admins can also enforce compliance requirements by blocking the use of known or compromised passwords like the most common passwords 2025.
Previous Annual
Password Reports: