Weak Passwords: Why Attention Is Required to Overcome Humanity’s Problem With This Security Basic

Darren James, a Senior Product Manager at Specops Software, an Outpost24 company, explains why attention is required to overcome the risks of weak passwords. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Despite humanity’s incredible progress in science and technology, a deceptively simple yet essential skill continues to evade mastery—the secure use of strong passwords. Cybersecurity, especially passwords, should be straightforward. The first password was created in 1961 by Fernando Corbato, an MIT computer science professor. It allowed users to have files on a single console connected to a shared mainframe.

That was just over 60 years ago, and you’d have thought it was one of the oldest and simplest teachings in cybersecurity. With tireless efforts by security professionals to raise awareness about the importance of passwords, we should have passwords cracked – pardon the pun. In reality, most people still fall short with poor password hygiene, posing a significant challenge for modern businesses.

Password Struggles Are Real

The emphasis on password security stems from the fact that 88 percent of organizations rely on passwords as their primary authentication method to safeguard their systems yet, when you observe the headlines around the latest major data breach, many trace back to human factors or errors, such as the hack of stolen or compromised login credentials like usernames and passwords.

The research highlighted in the Specops 2025 Breached Password Report, which examined over 1 billion passwords (a subset of a larger 4 billion passwords), paints a true image of how bad the current situation is for businesses and passwords. The report found that individuals remain the weakest link in the security chain, with IT and security teams battling against the prolific use of weak or compromised passwords on a company’s network. For example, the top five stolen passwords are “123456,” “admin,” “12345678,” “password,” and “Password”—all common base terms that security-aware users would avoid using at all costs!

However, among the list of passwords analyzed, over 230 million conformed to the standard complexity requirements found in numerous organizations and used by many consumers, proving these ‘complexity’ requirements need updating. The standard rule is that a password should contain eight characters, a capital letter, a number, and a special character. Eight characters is the default password length requirement in the Active Directory, but even this can be guessed quickly if attackers use brute force techniques. This is because user-created passwords typically follow simple and predictable patterns.

Even when the password length is increased ever so slightly, it is still not secure enough. The analysis revealed over 350 million passwords in the dataset that were longer than 10 characters, with 92 million specifically being 12 characters long. This highlights that even if a password complies with an organization’s standards, it doesn’t guarantee security. Regardless of its length or complexity, any password can be stolen and compromised by malware.

Malware Stealing Credentials Is Now Endemic

A worrying finding from the same research was the number of passwords stolen by malware, over 1 billion. Stolen credentials are in high demand as they provide a simple and direct pathway to valuable data, including personal information, financial records, and corporate secrets. For instance, initial access brokers (IABs) specialize in trading stolen credentials on the dark web and underground forums.

By stealing such sensitive information, threat actors can launch more sophisticated attacks, like widespread phishing campaigns, or even access internal networks to leech and extract more information over time. Such malware is known as infostealers. Like the name suggests, they are designed to infect systems and steal sensitive information like usernames, passwords, payment card details, or general organizational data. The most popular infostealer malware for passwords is Redline, which accounted for nearly half of all the stolen passwords analyzed. Indeed, hackers have stolen 170 million unique sets of credentials in just six months with Redline. Other popular infostealers like Vidar and Raccoon Stealer were responsible for 17 percent and 11.7 percent of stolen passwords, respectively.

Reducing Password Risk

For organizations wanting to reduce password-related risks, there are two key strategies to implement. The first is to ensure that the Active Directory contains long, complex passwords to resist the likelihood of brute-force attacks. Password reuse also poses a significant risk. Even if a password is securely stored in one environment, reusing it on less secure platforms can expose organizations to breaches. Encouraging users to create unique, strong passphrases is essential for robust password security. For those unaware, a passphrase is a password of random whole words, usually three or four.

To further assist IT and security teams and to stop compromised passwords from being used, organizations must deploy dedicated tools to identify these passwords. The tools should be able to continuously scan and provide daily checks against an updated database of breached passwords. This proactive approach enables IT and security teams to locate compromised passwords in the Active Directory, detect potential security risks, and enforce immediate password changes for affected users at the next logon.

Furthermore, rolling out organizational password policies with these tools should be simple for IT and security admins to enforce and easy for users to understand exactly what they need to do. Once integrated, organizations will have enhanced security that meets compliance with industry best practices and regulations while maintaining clear visibility into compromised passwords within their network.