According to the 2025 Specops Breached Password Report, the 12-month period that ended in December 2024 saw more than one billion passwords (1,089,342,532) stolen or otherwise compromised due to malware.
Weak passwords, including “123456,” “admin,” and notably “password” were still seen as being among the major factors leading to stolen passwords, and with it, user data. Such weak passwords were employed even when IT staff informed employees not to use them.
Security experts have long encouraged users to create and use more robust passwords, and not to use the same password for multiple accounts. Birthdays, anniversaries, favorite sports teams, and names of family pets have also been seen as falling into the “weak category.”
More Than Just Robust Passwords Needed
The report found that of the billion stolen passwords, more than a quarter – approximately 230 million – met the standard complexity requirements. That includes being over eight characters, having a capital letter, a number, and even a special character. According to Specops Software, simply meeting password security standards isn’t enough to protect accounts.
Increasingly, hackers and cybercriminals have favored malware-stolen credentials. According to Specops Software, these are easy to obtain, use, and sell.
“Redline” was cited as one of the most popular stealers according to the research, which further highlighted that even strong passwords can be stolen by malware, rendering hashing algorithms obsolete. The report suggested that end-user accounts should be secured with multi-factor authentication (MFA).
“The amount of passwords being stolen by malware should be a concern for organizations,” said Darren James, Specops Software senior product manager, via an emailed statement.
“Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware,” James added.
The report noted that many stolen passwords in this dataset exceeded the length and complexity requirements in common cybersecurity regulations. One factor may be that users find it difficult to keep track of passwords, and thus fall back on ones they can remember. But malware is making it easy for hackers to crack the passwords.
“We also know password reuse is extremely common, so it’s possible end users are reusing work passwords on personal devices, applications, and websites with weak security which are more vulnerable to malware,” James continued. “It’s vital you have a way to check your Active Directory for compromised passwords that hackers could use also in 2025 as a relatively simple entry point into your organization.”
Are Strong Passwords Enough?
Other security researchers have said that the biggest problem is still weak passwords and that alternatives aren’t being employed.
“Absolutely no surprises here. This is the same type of data I could have produced over three decades ago,” warned Roger Grimes, data-driven defense evangelist at KnowBe4. “There are four basic types of password attacks: theft, guessing, password hash theft/cracking, and password bypass/reset. Only two of these attacks care about how long or complex your password is: guessing and password hash cracking”
Grimes told ClearanceJobs that one issue is that password theft and bypass/reset don’t care, or work.
“You can have the strongest password in the world and they will just steal it or bypass it. But guessing and hash cracking do succeed or fail based upon how strong your password is,” noted Grimes. “In my analysis, a password needs to be 12 characters or longer – and be completely random – to withstand today’s guessing/cracking attacks.”
The issue is that when one makes a password out of their head, it isn’t fully random. In these cases, it should be 20 characters or longer to make guessing and cracking.
Password Alternatives
However, the issue still comes back to the reliance on passwords.
Paul Bischoff, consumer privacy advocate at cybersecurity provider Comparitech told ClearanceJobs that efforts are being made to find alternatives that could provide more robust protections.
“We’re slowly but surely replacing passwords with more secure alternatives like one-time codes, biometric scans, and USB keys,” Bischoff explained. “It doesn’t matter how long or complicated your password is if someone steals it through a data breach or keylogging malware.”
Yet, that doesn’t mean hashing is “obsolete” for those who need to regularly change passwords.
“Hashing is still extremely important for any organization that needs to store passwords securely,” added Bischoff. “Always use multi-factor authentication when possible to keep accounts secure.”
For those who have to manage several accounts daily, a password manager may be the best option.
“A password manager allows you to easily create and use strong random passwords that are different across every site and service,” said Grimes.
But it should still begin with robust passwords that are changed often.
