Over the course of the past year, security researchers at Specops Software examined six billion leaked passwords and subsequently published a comprehensive report on their findings. This report not only provides insight into the most commonly used passwords, but also into the current threat posed by leaks.

These are the most frequently stolen passwords

Unfortunately, the top five most stolen passwords show that few users have learned their lesson in recent years. As before, the passwords are as follows:

1. 123456
2. 123456789
3. 12345678
4. admin
5. Password

It’s alarming that most people apparently do not even bother to choose individual words as passwords. In addition to the five most common passwords, the researchers also frequently discovered password combinations with words such as hello, welcome, guest ,or student.

This suggests that these are not only private accounts, but also company, university or public access data. The ever-popular “qwerty” is also represented again, i.e. simply the first six letters of a keyboard that uses an English layout.

Passwords ending in “@123” or “@1234” are also frequently used. These are often preceded by a name, a country or a standard word such as “hello” or “hola”. Here, too, users are proving to be rather uncreative. The researchers also point out that it is not enough to use “more complex passwords” with a capital letter and a special character if they always follow the same pattern.

Interestingly, most of the passwords in the analysis are exactly eight characters long. Just under a sixth reach this length, but this is probably due to the fact that “password” has exactly eight letters. Shorter passwords with seven or fewer characters are comparatively unpopular.

These are the most dangerous infostealers

In addition, the researchers indicated which infostealers stole the most data from the set between January and December 2025:

• LummaC2: 60,934,662 stolen passwords
• RedLine: 31 ,144,858 stolen passwords
• Vidar: 5,965,748 stolen passwords
• StealC: 3 ,441,423 stolen passwords
• Raccoon Stealer: 1 ,656,673 stolen passwords

Together, these five malware families alone are responsible for the theft of nearly 100 million login details. Password leaks therefore often occur on a large scale and affect millions of people at once, as this FBI-powered leak in December shows.

Less tech-savvy users, who are often victims of phishing campaigns, are said to be particularly at risk. Researchers also consider the threat posed by Lumma Stealer to be particularly serious, as it has risen significantly in the list of the most dangerous programs. The top providers of info stealers are also developing increasingly effective packages that bundle various offerings.

How to protect yourself

Both private users and system administrators should make sure to use secure and complex passwords that do not follow a common pattern. It is best to use a password manager to create and store important access data.

In addition, it can help to use two-factor authentication. Also, avoid passwords that have already been leaked. For example, you can check whether your password has been stolen in the past via the Have I Been Pwned website.

Regular password resets and updates should also protect against theft. Admins can set specific guidelines for this, for example, once a year or once every x months.

Author: Laura Pippig, Staff Writer, PC-WELT