of compromised passwords satisfy the password length and complexity requirements of regulatory password standards


of passwords used to attack RDP ports in live attacks are 12 characters or less


of 4.6 million passwords used in live attacks to RDP ports contain only lowercase letters

About the Data

Poor password practices are putting businesses at risk. Data breaches continue to be a threat to all types of organizations across the globe, underscoring the importance of greater password security, as a means to protect our business data, as well as our digital ecosystem.

This year’s Weak Password Report highlights why passwords are still the weakest link in an organization’s network, and how stronger password policy enforcement can be your best defense.

The research in this report has been compiled through various methods, including:

  • Our analysis of 800 million breached passwords, a subset of the more than 4 billion unique compromised passwords within the Specops Breached Password Protection list.
  • Our analysis of passwords found in live attacks on our team’s honeypot network, another source for compromised passwords blocked by the Specops Breached Password Protection list.

Learn More About the Data

The Most Common Base Term used to Attack Networks Across Multiple Ports

The Specops research team looked at passwords being used to attack RDP ports in live attacks and analyzed a subset of over 4.6 million passwords collected over the span of several weeks.

We identified patterns in recent attacks and uncovered that more than 88% of passwords used in attacks were 12 characters or less. The most common password length found in this attack data was 8 characters at almost 24%.

Other categories

Our research team took a look at passwords being used to attack RDP ports in live attacks and analyzed a subset of over 4.6 million passwords collected over the span of several weeks.

The cyberattack on America’s largest microchip company understandably sparked concern for data security. Specops Software explored a few examples of these leaked passwords to pinpoint the factors that led to their compromise.

Download Report to See Most Common Passwords























Block Weak Passwords

Block the use of more than 4 billion compromised passwords including those found on known breached lists with Specops Password Policy with Breached Password Protection.

Frequently Asked Questions

A weak password is short, common, and predictable (uses keyboard patterns, or leetspeak). A password that is reused across multiple accounts, or one that appears on a breached password list, is also weak.

Active Directory does not check for weak or breached passwords out-of-the-box. With some configuration, Administrators can check Active Directory passwords against the Have I been Pwned password list.

A strong password is longunique, and hard-to-guess. A strong password can still be vulnerable if it is leaked or stolen. Password should be regularly checked against a list of known passwords, and changed on indication of compromise.

With a third-party tool like Specops Password Policy, system admins can enforce password length, passphrases, and complexity, while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters. Admins can also enforce compliance requirements by blocking the use of known or compromised passwords.

Previous Annual

Password Reports: