How come it’s nonetheless potential to ‘safe’ an internet account with a six-digit string?
07 Might 2026
•
,
4 min. learn
The most-used password globally is strictly what you assume it’s: ‘123456.’ That’s in keeping with NordPass’s newest annual report on passwords uncovered in knowledge breaches globally. Different all-too-predictable selections, corresponding to ‘123456789’, ‘12345678’, ‘12345’ and ‘admin’, additionally show to have endurance yr after yr.
My first intuition is to dismiss this as scaremongering fodder, particularly on condition that poor password hygiene was additionally a part of a neighborhood engagement session I introduced on the latest RSAC convention, Let’s Rant: 4 Issues That Have to Change in Cybersecurity.
However since immediately is World Password Day, I needed to put this to the take a look at: Can I nonetheless discover a fairly mainstream web site that enables me to create an account utilizing ‘123456’ because the password? Sadly, the reply is sure.
There are fashionable websites, corresponding to ‘evite’, that also permit this precise six-digit string for use as a password. It’s possible you’ll dismiss it as simply an e-invite service, till you understand that you just’re sharing private knowledge in your invites and doubtlessly handle the responses of all of your invitees via an account that’s not safe. The surprising a part of this very crude take a look at is the discovering that Evite was topic to a knowledge breach in 2019 that affected the non-public info of over 100 million folks. The corporate ought to most likely know higher than to permit its customers to have such weak passwords.
The scenario isn’t drastically higher on much more fashionable companies. Once I tried to create a brand new account on Fb, the platform did mandate an extra stage of password complexity. However nonetheless, a string so simple as ‘1234567!’ turned out to be a permitted password. X provided the same expertise.
Now, Fb, for instance, does provide some recommendation, corresponding to: “keep away from utilizing widespread phrases corresponding to ‘password’’ and “In case your password isn’t robust sufficient, combine uppercase and lowercase letters. Make it extra advanced by utilizing an extended phrase or collection of phrases you could bear in mind however others gained’t know.” But, it permits ‘1234567!’ for use, no letters, only a sequential sample with a easy exclamation mark on the finish, all simply guessable, particularly by automated scripts that take a look at accounts en masse for generally used patterns and strings.
In the meantime, Collins Dictionary, which is dwelling to far much less delicate content material, pressured me to create an eight-character password containing a minimum of three of the next – decrease case (a-z), higher case (A-Z), numbers (i.e. 0-9) and particular characters (e.g. !@#$%^&*).
NordPass’s knowledge means that there are numerous extra websites that set restricted password insurance policies and permit trivial passwords like ‘123456’. Nevertheless, I believe there may be components of legacy within the technique used to calculate the most typical passwords. For instance, if an organization has existed for 10 years and by no means deleted any dormant consumer accounts, then a breach would come with outdated dormant account info, a few of which can be from earlier than any password coverage was enforced. The motivation behind publishing headline-snatching knowledge can also be clear: the distributors that create the information story are set to doubtlessly profit as they supply password administration software program for a subscription.
Breaking the cycle
Now, how will we resolve this endless loop of negativity about passwords, together with the ridiculous scenario that platforms nonetheless allow non-secure passwords?
I don’t assist the concept of legislators needing to mollycoddle residents, however on this occasion I believe it’s time for lawmakers to step on top of things and put a cease to the sample of corporations not implementing stringent authentication insurance policies and permitting customers to take the simple choice. There may be widespread privateness laws stating that corporations have to safe our private knowledge in the event that they retailer it, utilizing acceptable affordable cybersecurity measures. A core a part of these measures is the usage of robust, advanced passwords and multi-factor authentication (MFA), as required by any self-respecting cybersecurity framework. But, in lots of cases there are not any cybersecurity necessities on authentication for customer-facing companies.
However, some industries have been pressured to replace to trendy authentication strategies. Within the finance trade, for instance, there are a number of rules, such because the Fee Providers Directive 2 (PSD2), that mandate MFA for digital funds and entry to fee accounts on-line.
Laws ought to lengthen to all industries: merely implement MFA for all accounts created on-line whatever the service being accessed, ditch the outdated use of passwords, and transfer to extra acceptable safety for immediately’s web.
The potential hurdle to mandating this strategy is the barrier to entry for folks creating accounts. Corporations reliant on promoting or the gathering (and sale) of private knowledge for income will foyer considerably in opposition to the transfer, and firms with large budgets can be very demanding that nothing steps in the best way of revenue, particularly one thing like securing buyer accounts by requiring a fancy password and/or MFA.
For many of my 30-plus-year profession within the cybersecurity trade, the difficulty of weak passwords has been a staple message pushed out every single day, at many occasions, and on a specifically nominated day. There’s a easy and efficient option to resolve it: mandate advanced passwords or, higher but, MFA. Can we please cease the dialog about ‘weak passwords’, as soon as and for all?
To generate robust passwords and be taught extra about on-line account safety, head over to ESET’s password generator web page.
