New research reveals poor password hygiene in the finance sector, putting sensitive data at risk.
Despite handling trillions in transactions and guarding critical data, many financial institutions are still using weak and highly guessable passwords – opening the door to cybercriminals, the research suggests.
A new study by NordPass, in collaboration with NordStellar, reveals that banks, fintech platforms, and financial service providers are relying on credentials like “123456,” “password,” and even “user@123” to protect their systems.
These weak passwords were found in use across a variety of platforms – from internal banking dashboards and accounting systems to employee email logins and demo accounts. In some cases, credentials like “demo” and “secret” suggest default passwords were never changed, creating a major vulnerability.
“Finance is one of the most targeted industries for cybercrime – and yet many of the passwords we found wouldn’t pass a basic security audit. With sensitive financial data on the line, outdated password practices are a major liability,” says Karolis Arbaciauskas, head of business product at NordPass.
The research showed a troubling reliance on default logins, simple numeric sequences, and personal or company-related names – all of which are easily cracked with even basic tools.
The credentials were found guarding access to sensitive systems – and many follow easily guessed formats such as personal names with numbers, birth years, or common finance-related terms.
Cyberattacks on financial institutions can result in massive data leaks, reputational damage, and regulatory penalties. And yet, many breaches still begin with one compromised login.
Arbaciauskas recommends these steps for improved password security:
- Avoid using personal names, years, or company references in passwords. These are easy to find and guess.
- Educate teams at all levels. From analysts to executives, everyone should understand modern password hygiene.
- Use strong, unique passwords stored in a business-grade password manager. This removes the need to reuse or write them down.
- Enable multi-factor authentication (MFA). Even if a password is stolen, MFA can stop unauthorized access in its tracks.
“Trust is the currency of the finance world – and it’s easily lost through one weak password. It’s time for finance leaders to take password security as seriously as fraud prevention or compliance,” Arbaciauskas adds.
