Fixing trivial passwords is as straightforward as 123456

How come it’s nonetheless attainable to ‘safe’ an internet account with a six-digit string?

07 Could 2026
 • 
,
4 min. learn

The most-used password globally is strictly what you assume it’s: ‘123456.’ That’s in accordance with NordPass’s newest annual report on passwords uncovered in information breaches globally. Different all-too-predictable selections, similar to ‘123456789’, ‘12345678’, ‘12345’ and ‘admin’, additionally show to have endurance yr after yr.

My first intuition is to dismiss this as scaremongering fodder, particularly on condition that poor password hygiene was additionally a part of a neighborhood engagement session I offered on the latest RSAC convention, Let’s Rant: 4 Issues That Must Change in Cybersecurity.

However since at this time is World Password Day, I needed to put this to the check: Can I nonetheless discover a moderately mainstream web site that permits me to create an account utilizing ‘123456’ because the password? Sadly, the reply is sure.

There are common websites, similar to ‘evite’, that also permit this actual six-digit string for use as a password. You could dismiss it as simply an e-invite service, till you notice that you simply’re sharing private information in your invites and doubtlessly handle the responses of all of your invitees by way of an account that isn’t safe. The surprising a part of this very crude check is the discovering that Evite was topic to an information breach in 2019 that affected the private data of over 100 million folks. The corporate ought to in all probability know higher than to permit its customers to have such weak passwords.

The state of affairs isn’t drastically higher on much more common providers. Once I tried to create a brand new account on Fb, the platform did mandate an extra degree of password complexity. However nonetheless, a string so simple as ‘1234567!’ turned out to be a permitted password. X supplied an analogous expertise.

Now, Fb, for instance, does supply some recommendation, similar to: “keep away from utilizing frequent phrases similar to ‘password’’ and “In case your password isn’t robust sufficient, combine uppercase and lowercase letters. Make it extra advanced through the use of an extended phrase or sequence of phrases which you could keep in mind however others received’t know.” But, it permits ‘1234567!’ for use, no letters, only a sequential sample with a easy exclamation mark on the finish, all simply guessable, particularly by automated scripts that check accounts en masse for generally used patterns and strings.

In the meantime, Collins Dictionary, which is house to far much less delicate content material, compelled me to create an eight-character password containing a minimum of three of the next – decrease case (a-z), higher case (A-Z), numbers (i.e. 0-9) and particular characters (e.g. !@#$%^&*).

NordPass’s information means that there are numerous extra websites that set restricted password insurance policies and permit trivial passwords like ‘123456’. Nevertheless, I feel there can also be parts of legacy within the technique used to calculate the most typical passwords. For instance, if an organization has existed for 10 years and by no means deleted any dormant person accounts, then a breach would come with outdated dormant account data, a few of which can be from earlier than any password coverage was enforced. The motivation behind publishing headline-snatching information can also be clear: the distributors that create the information story are set to doubtlessly profit as they supply password administration software program for a subscription.

Breaking the cycle

Now, how can we resolve this unending loop of negativity about passwords, together with the ridiculous state of affairs that platforms nonetheless allow non-secure passwords?

I don’t help the thought of legislators needing to mollycoddle residents, however on this occasion I feel it’s time for lawmakers to step on top of things and put a cease to the sample of firms not implementing stringent authentication insurance policies and permitting customers to take the straightforward choice. There may be widespread privateness laws stating that firms have to safe our private information in the event that they retailer it, utilizing applicable cheap cybersecurity measures. A core a part of these measures is the usage of robust, advanced passwords and multi-factor authentication (MFA), as required by any self-respecting cybersecurity framework. But, in lots of cases there are not any cybersecurity necessities on authentication for customer-facing providers.

Alternatively, some industries have been compelled to replace to fashionable authentication strategies. Within the finance business, for instance, there are a number of laws, such because the Fee Providers Directive 2 (PSD2), that mandate MFA for digital funds and entry to cost accounts on-line.

Laws ought to prolong to all industries: merely implement MFA for all accounts created on-line whatever the service being accessed, ditch the outdated use of passwords, and transfer to extra applicable safety for at this time’s web.

The potential hurdle to mandating this strategy is the barrier to entry for folks creating accounts. Firms reliant on promoting or the gathering (and sale) of private information for income will foyer considerably in opposition to the transfer, and corporations with massive budgets shall be very demanding that nothing steps in the best way of revenue, particularly one thing like securing buyer accounts by requiring a posh password and/or MFA.

For many of my 30-plus-year profession within the cybersecurity business, the difficulty of weak passwords has been a staple message pushed out daily, at many occasions, and on a specifically nominated day. There’s a easy and efficient solution to resolve it: mandate advanced passwords or, higher but, MFA. Can we please cease the dialog about ‘weak passwords’, as soon as and for all?