Security experts at Specops Software reviewed more than six billion exposed passwords during the last year and released a detailed analysis of their observations. The study offers valuable information on prevalent password selections and the ongoing dangers from data breaches.
Regrettably, the five most frequently compromised passwords indicate that many individuals remain unchanged in their habits despite past warnings. These include the usual suspects such as simple numeric sequences and basic terms.
It's concerning that numerous users fail to select even basic unique terms for protection. Beyond the leading examples, the team often encountered mixes involving everyday words like hello, welcome, guest, or student.
This pattern implies involvement of personal profiles as well as corporate, educational, or shared systems. The classic keyboard sequence qwerty, drawn from the initial keys on a standard English keyboard, continues to appear prominently.
Combinations concluding with @123 or @1234 show up regularly, typically starting with a personal name, location, or routine term like hello or hola. Such choices highlight a lack of originality among those creating them. Experts emphasize that merely adding uppercase letters or symbols to basic phrases falls short if the structure remains predictable.
A notable trend in the dataset is that the majority of entries consist of precisely eight characters. Approximately one-sixth meet this criterion, likely influenced by the length of the word password itself. Entries shorter than eight characters appear far less common.
The analysis also identifies the leading info-stealing malware responsible for the largest data hauls from January through December 2025. These top five threats collectively accounted for almost 100 million captured credentials. Such incidents demonstrate how breaches can impact vast numbers simultaneously, as evidenced by a major exposure linked to FBI efforts last December.
Individuals with limited technical knowledge, frequently targeted by phishing attacks, face heightened vulnerability. The study flags Lumma Stealer as a growing concern, having climbed notably in rankings of severe threats. Developers of these tools are enhancing their products by integrating multiple features into comprehensive kits.
To mitigate risks, both everyday users and IT managers ought to adopt strong, intricate passwords avoiding recognizable formats. Employing a dedicated manager for generating and safeguarding credentials is highly recommended.
Enabling two-factor authentication provides an additional safeguard. Steering clear of previously compromised combinations is crucial; resources like the Have I Been Pwned site allow verification of past exposures.
Conducting periodic changes to passwords can further bolster security. Administrators might enforce policies, such as annual renewals or intervals every few months.