Security researchers at Specops Software analyzed a dataset of six billion leaked passwords over the past year, publishing a detailed report that sheds light on persistent password hygiene failures and the evolving threat landscape driven by large-scale credential theft. The findings illustrate how predictable password choices and industrialized malware campaigns continue to undermine account security across both personal and organizational environments.
The most frequently exposed passwords remain strikingly simple. The top five most stolen credentials in the dataset were “123456,” “123456789,” “12345678,” “admin,” and “Password.” The continued dominance of these strings indicates that a substantial number of users still rely on default-like or sequential number combinations rather than unique, complex credentials. Beyond these, researchers repeatedly observed generic words such as “hello,” “welcome,” “guest,” and “student,” suggesting that compromised accounts likely span not only private users but also corporate systems, educational institutions, and shared or public-access environments.
Keyboard patterns also remain common. Variants of “qwerty,” derived from the first row of letters on an English keyboard layout, continue to appear frequently in breach data. Another recurring pattern involves passwords ending in “@123” or “@1234,” often preceded by a name, country, or basic greeting such as “hello” or “hola.” According to the researchers, these constructions demonstrate that simply adding a capital letter or special character does little to improve security when users follow predictable templates that attackers can easily model.
Password length trends in the dataset were also notable. A significant share of passwords analyzed were exactly eight characters long, with just under one-sixth falling into this category. The prevalence of eight-character credentials may be influenced by legacy minimum-length requirements and the fact that common words like “password” fit this length exactly. Shorter passwords of seven characters or fewer were comparatively less common, but length alone did not correlate with strength when combined with highly predictable structures.
The report also highlights the malware ecosystem responsible for harvesting credentials. Between January and December 2025, five major infostealer families dominated password theft activity in the dataset: LummaC2 with 60,934,662 stolen passwords, RedLine with 31,144,858, Vidar with 5,965,748, StealC with 3,441,423, and Raccoon Stealer with 1,656,673. Collectively, these strains accounted for nearly 100 million compromised login credentials, underscoring the scale at which automated malware campaigns operate. Infostealers typically extract saved browser passwords, session cookies, and other sensitive data from infected machines, often after users are lured via phishing emails, malicious downloads, or fake software updates.
Researchers warn that less technically experienced users are particularly vulnerable, as they are more likely to fall victim to phishing schemes that deliver infostealer payloads. LummaC2, in particular, is described as an increasingly serious threat due to its rapid rise in activity and the broader trend of malware operators offering bundled, subscription-style toolkits that lower the barrier to entry for cybercriminals.
To mitigate risk, the report emphasizes the need for stronger credential practices at both the individual and organizational level. Unique, high-entropy passwords that do not follow common patterns are essential, and password managers are recommended to generate and securely store credentials. Enabling two-factor authentication adds a critical additional layer of defense, reducing the impact of password exposure alone. Users are also advised to avoid reusing credentials that have appeared in past breaches and to check for exposure using breach-notification services such as Have I Been Pwned.
Regular password updates can further limit the window of opportunity for attackers using previously stolen data. Organizations, in particular, are encouraged to enforce password policies that define complexity requirements and rotation schedules, while also investing in user education to reduce susceptibility to phishing and malware infections. Together, these measures address both the human and technical factors that continue to drive large-scale credential compromise.