The 2025 Breached Password Report from the Specops Software research team has been published.

It is an analysis of more than a billion passwords that have been stolen by malware.

Even if your organization's password policy is strong and meets compliance standards, according to a senior product manager at Specops Software, "this won't protect passwords from being stolen by malware."

In total, 1,089,342,532 stolen passwords, captured over 12 months, were analyzed for this report. Across 2024, the Specops threat intelligence team collected data on the theft of credentials by malware, data that was then analyzed to provide insight into how users are choosing and abusing passwords.

In the world of cybercriminals, the key players are cybercriminals, hackers, and initial access brokers. Initial access brokers specialize in trading stolen credentials, including passwords, to hackers, that are then used to gain initial access to targeted networks or accounts. Initial access brokers get their stolen passwords from low-level threat actors who use malware, specifically "infostealers", to obtain them.

The Specops researchers found that of the more than a billion compromised passwords analyzed, 230 million of them met the standard complexity requirements found in numerous organizations and were used by many consumers as a result. The analysis found more than 350 million passwords exceeded 10 characters in the dataset and 92 million of those were 12 characters in length. Davey Winder, "New Security Alert—1 Billion Passwords Stolen By Malware, Act Now" www.forbes.com (Jan. 24, 2025).

Commentary

Although "long and strong" remains valid advice for password construction, changing those passwords regularly and never reusing the same password are the next two most important actions to take to strengthen your cyber defenses.

As this report shows, many of the stolen passwords were "long and strong." However, the longer the password remains unchanged, the greater the risk of a cyber breach.

Password managers have emerged as critical tools for individuals and organizations to manage strong, unique passwords without needing to remember them all. These tools generate, store, and autofill complex passwords, significantly reducing human error and improving security. See, https://www.army.mil/article/280417/secure_our_world_cecom_recommends_strong_passwords_and_password_managers#:~:text=Password%20managers%20have%20emerged%20as,human%20error%20and%20improving%20security.

Here are some signs your device may have a malware infection:

• Slowing down or crashing more than normal
• Displaying frequent error messages
• Failing to shut down or restart
• Displaying numerous pop-up messages
• Opening web pages you did not visit or sending emails you did not write
• New toolbars or icons showing up unexpectedly
• Your Internet home page changing suddenly and repeatedly
• Your laptop battery draining more quickly than normal
• Windows opening, claiming to scan your computer for viruses and finding an unrealistically large number
• Black screens opening and closing when you start the computer
• Emails being returned with virus warnings
• Icons moving when you try to click on them