The IT Nerd

New research from Specops Software shows that love-themed passwords are still extremely common, despite years of warnings from security experts. In fact, across a database of breached and compromised passwords, the word “love” appeared more than 4.7 million times — making it one of the most predictable (and hackable) choices users continue to rely on.

Additionally, terms from classic literature such as Wuthering Heights and from popular romance-themed TV shows like Heated Rivalry, are frequently appearing, suggesting that people often choose passwords based on beloved characters, themes, and fandom referenced. 

The top 5 romance pop-culture breached passwords right now are: 

1. ilya – 233,702
2. shane – 105,429 
3. hockey – 67,658 
4. boston – 34,886 
5. catherine – 25,143 

This may seem like a harmless trend at first glance but predictable passwords are always a prblem because they are easier to breach in attacks. When users create romantic passwords based on love, names, pop culture, or seasonal events, they reduce the overall number of guesses an attacker needs.

The full details of this analysis can be found here: https://specopssoft.com/blog/romantic-passwords-cybercriminals-love/

Cyber risk is one of the most significant threats facing financial services, with insurers among the most frequently targeted organizations. Over the past year, there has been a notable increase in the number of attacks on the insurance industry, with several major insurers having reported major cybersecurity incidents, including Allianz Life Insurance, Aflac, Philadelphia Indemnity Insurance, and Erie Insurance.

In response to this, Specops Software have published a look at cyber risk in the insurance industry.  You can read it here: https://specopssoft.com/blog/cyber-risk-insurance-industry/

Specops Software has published its annual Breach Password Report 2026. With credential abuse remaining one of the most reliable and scalable initial access methods available to attackers, this report dives deeply into a year’s worth of malware-stolen credentials. 

The data in this research comes from the Outpost24 Threat Intelligence Team, finding that over 6 billion stolen passwords were captured during 2025. The research takes a look at which credential-stealing malware was most prolific in the year, what length passwords were most commonly compromised, as well as which base words were most often used in compromised passwords, and more. 

You can read the report here: https://specopssoft.com/our-resources/most-common-passwords/

Specops Software analysts have published an analysis on the evolution of identity and password security in 2025, and the outlook for 2026. 

The piece highlights several major shifts seen over the past year:

• Identity and access management is now being treated as an organization-wide business risk, not just an IT issue
• Third-party access and supply-chain relationships have emerged as one of the most significant identity threat vectors
• Regulatory pressure is increasing around MFA and supplier security, particularly in data-heavy sectors like healthcare
• Passwordless authentication is advancing, but operational realities mean passwords are unlikely to disappear in 2026
• Cybersecurity culture and user training are increasingly critical as AI-driven social engineering accelerates

For full details, please see the analysis here: https://specopssoft.com/blog/identity-security-insights-priorities-2026/

With the holiday season rapidly approaching, Specops researchers wanted to find out how many people previously used this time of year as inspiration for passwords that ended up breached.

In analyzing 800 million compromised passwords, the researchers found 750,000 instances where end users picked memorable, festive passwords that ended up on breached lists creating security blind spots.

This research coincides with the latest addition of over 203 million new, unique compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of breached password lists, our honeypot network, and threat intelligence sources.

You can read the research here: Breached holiday passwords: Which made the naughty list?

Almost two years ago, the Specops research team analyzed how long it took to crack passwords hashed with the bcrypt algorithm.

Using newer, more powerful hardware, the researchers revisited that previous research creating a new table of Bcrypt cracking times in this just-published report Cracking bcrypt: New-gen hardware speeds up password hacking. The reason for the revisit is two-fold: the AI boom causing a glut of consumer hardware, as well as the arms-race in consumer graphics performance.

The focus on compute power for both consumers and enterprises whether for general purpose compute (GPGPU) or training LLMs has caused arguably all three major graphics vendors to focus more heavily on compute performance than they may have in the past. This shows in the performance of Nvidia’s recent 50-series, as well as AMD’s upcoming transition to the ‘UDNA’ architecture. Specops research team investigated what this boom and renewed focus on compute means for the difficulty of cracking a leaked password hash, and the future security of passwords.

Short, non-complex passwords can still be cracked relatively quickly, highlighting the huge risks of allowing users to create weak (yet very common) passwords such as ‘password’, ‘123456’, and ‘admin’. However the high cost factor of bcrypt makes longer passwords extremely secure against brute force attacks thanks to its slow-working hashing algorithm. Once a combination of characters are used in passwords over 12 characters in length, the time to crack quickly becomes a near-impossible task for hackers. This shows the value of enforcing longer passwords.

This research coincides with the latest addition of over 70 million compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of our honeypot network and threat intelligence sources.

To view the complete Specops research report, visit Cracking bcrypt: New-gen hardware speeds up password hacking

Service desks have evolved from internal support functions into prime hunting grounds for cybercriminals. Armed with AI vishing technologies and carefully crafted social engineering scripts, attackers are systematically targeting the human element of cybersecurity. 

These cyber criminals are weaponizing people’s instinct to help, turning IT staff into accidental accomplices who hand over password resets, disable multi-factor authentication, and grant privileged access. Unfortunately, too many organizations are leaving their staff open to these threats. Traditional technical defenses that cost thousands to implement can be bypassed with a convincing voice, a few publicly available details, and exploitation of predictable human psychology. It’s a simple but effective attack methodology that demands immediate attention. 

Using forensic analysis of recent high-profile breaches, Specops Software reveals in a newly published report Securing the Service Desk how verification failures cascade into operational disasters.

The new report details: 

• Real-world case studies from M&S, Clorox, Google, Air France-KLM, MGM Resorts, and other major breaches 
• Why AI voice cloning and social engineering are so effective against service desks 
• The three-pillar defense strategy that stops social engineering attacks  
• Five immediately actionable steps to make a vulnerable process secure  
• How to implement phishing-resistant verification that can’t be bypassed 

The full report is here.

Today, Specops Software, an Outpost24 company and leading provider of password and identity management solutions, announced that Specops uReset, the company’s self-service password reset (SSPR) solution, now supports cloud-only Entra ID environments, joining Specops Secure Service Desk in enabling organizations across on-premises, hybrid, and cloud infrastructures.

With Specops uReset, customers can access self-service password resets from any browser or device. Whether organizations are fully remote, hybrid, or distributed across multiple locations, uReset eliminates the frustration of password-related downtime while reducing IT overhead costs. Considering 94% of organizations use at least some form of cloud computing, the expansion of Specops Software’s SSPR solution to include Entra ID enabled organizations comes at a critical time.

According to Gartner, 40% of all IT help desk calls are related to passwords, making password management one of the most persistent and costly challenges for IT teams. By shifting these calls to a secure, self-service model, uReset allows organizations to free up IT resources for strategic priorities while providing users with faster, more reliable access to their accounts. With this latest release, uReset brings enterprise-grade self-service password reset capabilities directly to Entra ID customers, extending beyond native options with:

• Flexible MFA with 20+ authenticators (including Microsoft Authenticator, Okta, Duo Security, Yubikey, and Specops:ID)
• Dynamic end-user feedback during password creation
• Breached password protection against Specops’ database of 4+ billion compromised credentials
• Simple, privacy-first enrollment

To learn more about Specops uReset for Cloud, click here.

Businesses fail all the time, for all sorts of reasons. So, when a business like Knights of Old (trading as KNP Logistics Group) survives a century and a half, through enough recessions, wars, government changes, and technological advances to fill many history books, it would be fair to say it’s pretty resilient. Sadly, it would be something a lot more minor and simpler that would signal the end of KNP – a weak password.

In June 2025, the 158-year-old British transport firm, collapsed under the weight of a devastating ransomware attack that began with one guessed password. The breach not only encrypted every corner of the company’s digital estate but also obliterated its backups and disaster recovery systems, forcing KNP to enter administration and leaving some 700 employees without jobs.

In an analysis published this week, Specops Software experts dove into what exactly happened with the KNP attack, how the threat actor behind it, Akria, operates, how this all could have been avoided, and the wider ransomware landscape at hand. 

For full details, please find the analysis here: https://specopssoft.com/blog/weak-password-destroyed-knp-lessons/

The Specops Software research team has released a new research report titled “Heatmap of 10 million breached passwords: 98.5% are weak.”

This is from analyzing 10 million random passwords from the 1 billion+ breached password list used by Specops Password Auditor —all are real compromised passwords that have been captured by Specops.

In a visual heatmap that mapped out common length and complexity combinations, the researchers found that only 1.5% of these 10 million passwords could be considered ‘strong.’ The findings show that organizations are still allowing users to create weak passwords that could be used as simple attack routes for hackers.

The research coincides with the latest addition of over 13 million compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of our honeypot network and threat intelligence sources.

Commenting on the report, Darren James, Senior Product Manager, said: “Despite years of training, many users still choose weak, easily guessed combinations that cybercriminals can crack in seconds. To bring this risk into sharp relief, our research team analyzed 10 million real-world passwords and plotted them on a heatmap measuring strength by both length and complexity. This visual ‘strength landscape’ shows how organizations need to adjust their password policies to move end users’ Active Directory passwords away from the zone of risk into the zone of security.”