{"id":210092,"date":"2026-05-07T03:26:00","date_gmt":"2026-05-07T07:26:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/07\/fixing-trivial-passwords-is-as-easy-as-123456\/"},"modified":"2026-05-07T06:15:10","modified_gmt":"2026-05-07T10:15:10","slug":"fixing-trivial-passwords-is-as-easy-as-123456","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/07\/fixing-trivial-passwords-is-as-easy-as-123456\/","title":{"rendered":"Fixing trivial passwords is as easy as 123456"},"content":{"rendered":"

Fixing trivial passwords is as easy as 123456<\/a><\/p>\n

https:\/\/www.welivesecurity.com\/en\/cybersecurity\/fixing-password-problem-as-easy-as-123456\/<\/a><\/p>\n

Publish Date: 2026-05-07 03:26:00<\/a><\/p>\n

Source Domain: www.welivesecurity.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n How come it\u2019s still possible to \u2018secure\u2019 an online account with a six-digit string?<\/p>\n

07 May 2026
\n \u00a0\u2022\u00a0
\n ,
\n 4 min. read<\/p>\n

The most-used password globally is exactly what you think it is: \u2018123456.\u2019 That\u2019s according to NordPass\u2019s latest annual report on passwords exposed in data breaches globally. Other all-too-predictable choices, such as \u2018123456789\u2019, \u201812345678\u2019, \u201812345\u2019 and \u2018admin\u2019, also prove to have staying power year after year.
\nMy first instinct is to dismiss this as scaremongering fodder, especially given that poor password hygiene was also part of a community engagement session I presented at the recent RSAC conference, Let’s Rant: 4 Things That Need to Change in Cybersecurity.
\nBut since today is World Password Day, I had to put this to the test: Can I still find a reasonably mainstream website that allows me to create an account using \u2018123456\u2019 as the password? Unfortunately, the answer is yes.
\nThere are popular sites, such as \u2018evite\u2019, that still allow this exact six-digit string to be used as a password. You may dismiss it as just an e-invite service, until you realize that you\u2019re sharing personal data on your invitations and potentially manage the responses of all your invitees through an account that is not secure. The shocking part of this very crude test is the finding that Evite was subject to a data breach in 2019 that affected the personal information of over 100 million people. The company should probably know better than to allow its users to have such weak passwords.
\nThe situation isn\u2019t drastically better on even more popular services. When I attempted to create a new account on Facebook, the platform did mandate an additional level of password complexity. But still, a string as simple as \u20181234567!\u2019 turned out to be a permitted password. X offered a similar experience.
\nNow, Facebook, for example, does offer some advice, such as: \u201cavoid using common words such as \u2018password\u2019\u2019 and \u201cIf your password isn\u2019t strong enough, mix uppercase and lowercase letters. Make it more complex by using a longer phrase or series of words that you can remember but others won\u2019t know.\u201d Yet, it permits \u20181234567!\u2019 to be used, no letters, just a sequential pattern with a simple exclamation mark at the end, all easily guessable, especially by automated scripts that test accounts en masse for commonly used patterns and strings.
\nMeanwhile, Collins Dictionary, which is home to far less sensitive content, forced me to create an eight-character password containing at least three of the following \u2013 lower case (a-z), upper case (A-Z), numbers (i.e. 0-9) and special characters (e.g. !@#$%^&*).
\nNordPass\u2019s data suggests that there are many more sites that set limited password policies and allow trivial passwords like \u2018123456\u2019. However, I think there may also be elements of legacy in the method used to calculate the most common passwords. For example, if a company has existed for 10 years and never deleted any dormant user accounts, then a breach would include outdated dormant account information, some of which may be from before any password policy was enforced. The motivation behind publishing headline-snatching data is also clear: the vendors that create the news story are set to potentially benefit as they provide password management software for a subscription.
\nBreaking the cycle
\nNow, how do we resolve this never-ending loop of negativity about passwords, along with the ridiculous situation that platforms still permit non-secure passwords?
\nI do not support the idea of legislators needing to mollycoddle citizens, but in this instance I think it\u2019s time for lawmakers to step up to the mark and put a stop to the pattern of companies not implementing stringent authentication policies and allowing consumers to take the easy option. There is widespread privacy legislation stating that companies need to secure our personal data if they store it, using appropriate reasonable cybersecurity measures. A core part of these measures is the use of strong, complex passwords and multi-factor authentication (MFA), as required by any self-respecting cybersecurity framework. Yet, in many instances there are no cybersecurity requirements on authentication for customer-facing services.
\nOn the other hand, some industries have been forced to update to modern authentication methods. In the finance industry, for example, there are several regulations, such as the Payment Services Directive 2 (PSD2), that mandate MFA for electronic payments and access to payment accounts online.
\nLegislation should extend to all industries: simply enforce MFA for all accounts created online regardless of the service being accessed, ditch the outdated use of passwords, and move to more appropriate security for today\u2019s internet.
\nThe potential hurdle to mandating this approach is the barrier to entry for people creating accounts. Companies reliant on advertising or the collection (and sale) of personal data for revenue will lobby significantly against the move, and companies with big budgets will be very demanding that nothing steps in the way of profit, especially something like securing customer accounts by requiring a complex password and\/or MFA.
\nFor most of my 30-plus-year career in the cybersecurity industry, the issue of weak passwords has been a staple message pushed out every day, at many events, and on a specially nominated day. There is a simple and effective way to resolve it: mandate complex passwords or, better yet, MFA. Can we please stop the conversation about \u2018weak passwords\u2019, once and for all?<\/p>\n

To generate strong passwords and learn more about online account security, head over to ESET\u2019s password generator page.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Fixing trivial passwords is as easy as 123456 https:\/\/www.welivesecurity.com\/en\/cybersecurity\/fixing-password-problem-as-easy-as-123456\/ Publish Date: 2026-05-07 03:26:00 Source Domain:…<\/p>\n","protected":false},"author":1,"featured_media":210094,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/world-password-day-weak-passwords.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24],"class_list":["post-210092","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210092"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=210092"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210092\/revisions"}],"predecessor-version":[{"id":210096,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210092\/revisions\/210096"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/210094"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=210092"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=210092"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=210092"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}