The Specops Software research team has released a new research report titled “Heatmap of 10 million breached passwords: 98.5% are weak.”
This is from analyzing 10 million random passwords from the 1 billion+ breached password list used by Specops Password Auditor —all are real compromised passwords that have been captured by Specops.
In a visual heatmap that mapped out common length and complexity combinations, the researchers found that only 1.5% of these 10 million passwords could be considered ‘strong.’ The findings show that organizations are still allowing users to create weak passwords that could be used as simple attack routes for hackers.
The research coincides with the latest addition of over 13 million compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of our honeypot network and threat intelligence sources.
Commenting on the report, Darren James, Senior Product Manager, said: “Despite years of training, many users still choose weak, easily guessed combinations that cybercriminals can crack in seconds. To bring this risk into sharp relief, our research team analyzed 10 million real-world passwords and plotted them on a heatmap measuring strength by both length and complexity. This visual ‘strength landscape’ shows how organizations need to adjust their password policies to move end users’ Active Directory passwords away from the zone of risk into the zone of security.”
Like this:
Like Loading...
Related
This entry was posted on July 15, 2025 at 8:00 am and is filed under Commentary with tags Specops. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Heatmap of 10 Million Breached Passwords: 98.5% are Weak
The Specops Software research team has released a new research report titled “Heatmap of 10 million breached passwords: 98.5% are weak.”
This is from analyzing 10 million random passwords from the 1 billion+ breached password list used by Specops Password Auditor —all are real compromised passwords that have been captured by Specops.
In a visual heatmap that mapped out common length and complexity combinations, the researchers found that only 1.5% of these 10 million passwords could be considered ‘strong.’ The findings show that organizations are still allowing users to create weak passwords that could be used as simple attack routes for hackers.
The research coincides with the latest addition of over 13 million compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of our honeypot network and threat intelligence sources.
Commenting on the report, Darren James, Senior Product Manager, said: “Despite years of training, many users still choose weak, easily guessed combinations that cybercriminals can crack in seconds. To bring this risk into sharp relief, our research team analyzed 10 million real-world passwords and plotted them on a heatmap measuring strength by both length and complexity. This visual ‘strength landscape’ shows how organizations need to adjust their password policies to move end users’ Active Directory passwords away from the zone of risk into the zone of security.”
Share this:
Like this:
Related
This entry was posted on July 15, 2025 at 8:00 am and is filed under Commentary with tags Specops. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.