A new study suggests that poor password hygiene across small, medium, and large companies is putting sensitive data at risk.
NordPass, together with cybersecurity experts from NordStellar, has analysed thousands of credentials used across various industries and found one common thread in their newest research: weak passwords are everywhere, from local shops to global corporations.
“These are the organisations handling customer data, financial transactions, and sensitive intellectual property. Yet even at the enterprise level, we still see weak and reused credentials — and that’s an open invitation to attackers,” said Karolis Arbaciauskas, head of product at NordPass.
The research highlights how small businesses, mid-sized firms, and enterprises are using login details that would make any attacker’s job easy. Among the worst offenders are familiar classics like “123456”, “password”, and “11111111”, as well as company-related phrases and predictable number patterns.
Small businesses showed particularly casual habits, with passwords such as:
123456, ABCDEF, seila98, rally95fo, prestashop_demo, user@123, studlgu$$, Abcd1234, regalo111, and many more predictable passwords.
Weak or reused passwords remain a primary cause of breaches, phishing success, and credential-stuffing attacks. For small businesses, it could mean operational downtime or reputation loss; for enterprises, the stakes include regulatory fines, supply chain exposure, and significant financial damage.
The study's authors said firms need to:
- Ban default and predictable passwords. Companies need to enforce strong password policies, requiring complexity and regular updates to keep accounts secure.
- Train staff regularly on cybersecurity basics. Employees remain the biggest entry point for attackers. Regular workshops and reminders about phishing, password hygiene, and safe sharing practices can drastically reduce risks.
- Use a business-grade password manager. Password managers allow companies to securely store, share, and generate strong credentials. They also help avoid risky habits like writing down passwords or reusing them across multiple platforms.
- Move toward passkeys and multi-factor authentication. MFA adds an extra layer of protection by requiring additional verification, while passkeys are an even stronger, passwordless option that’s gaining traction in enterprise security.
“Whether you’re a two-person startup or a multinational, your cybersecurity is only as strong as your weakest password,” Arbaciauskas added. “It’s time to treat credentials with the same care as your most valuable assets.”
