As it does every year, Specops publishes its report on password cybersecurity, after analyzing more than a billion stolen credentials.
The 2025 Compromised Password Report was released by Specops, which analyzed “a year-over-year analysis of credentials stolen by malware .” The result is a comprehensive overview of password compromise, focusing on the most commonly used, most stolen, and easiest-to-crack credentials. “A total of 1,089,342,532 stolen passwords captured over a 12-month period were analyzed for this report,” Specops said.
Stolen passwords: “123456”, “admin” or “password” are still popular…
Of the billion stolen credentials analyzed, Specops notes that passwords like “admin,” “password,” and “123456” “still appear with depressing regularity .” Indeed, among the top five most stolen passwords, only these basic terms or sequences of numbers are found.
The five most frequently stolen passwords:
- 123456: stolen 3.7 million times,
- admin: stolen 1.9 million times,
- 12345678: stolen 1.5 million times,
- password: stolen 558,000 times,
- Password: stolen 474,000 times.
Besides, whether they are 5, 6, 7, or 8 characters long doesn’t make much difference, as the tables below show, showing the basic terms most commonly used as passwords.
Demand for complexity does not necessarily rhyme with security
It’s no surprise that such simplistic passwords are instantly cracked. However, the Specops report highlights the high number of stolen credentials that meet “standard complexity requirements,” meaning a minimum of eight characters, one capital letter, one number, and one special character. Of the billion stolen passwords analyzed, nearly a quarter—230 million—met these security standards. However, it’s worth noting that for the most part, these are actually basic terms made more complex to meet the requirements, but not truly complex because they’re fairly common.
Specops therefore highlights the main “stolen passwords that would pass the complexity rules in many organizations” :
- Pass@123
- P@ssw0rd
- Aa@123456
- Admin@123
- Aa123456@
- Pass@1234
- Abcd@1234
- Demo@123
- Password@123
- India@123
Organizations and businesses are therefore advised to block weak passwords with a personalized exclusion dictionary.
Hashing algorithms are not foolproof
All the passwords mentioned above will be cracked instantly by hackers. But even if a company protects identifiers with a hashing algorithm, making certain data unreadable, it is advisable to adopt passwords, or even passphrases, that are long and complex. The table presented in the image on the front page, for example, indicates the cracking time for different types of passwords, whether they are long, short, composed or not of letters, numbers, capital letters and special characters. Thus, we note that with the hashing algorithm called SHA-256, “relatively modern” and “still widely used in many environments”, any password of 6 to 9 characters is almost instantly cracked.
As Specops points out, “Attackers will always prefer to target easy targets and easy solutions .” Indeed, “a hacker would likely waste their time trying to crack a long, complex password hashed with SHA-256 .” Therefore, it is worth encouraging end users to adopt long and strong credentials. However, “this effort is wasted if these users reuse these passwords across personal devices, sites, or applications with weak security .” Therefore, checking lists of compromised credentials is a must for businesses; otherwise, the table below could quickly become a reality.
