Research shows weak passwords plague businesses of all sizes

New study reveals poor password hygiene across small, medium, and large companies - putting sensitive data at risk.

When it comes to cybersecurity, size doesn’t always mean strength. NordPass, together with cybersecurity experts from NordStellar, has analysed thousands of credentials used across various industries and found one common thread in their newest research: weak passwords are everywhere, from local shops to global corporations.

"These are the organisations handling customer data, financial transactions, and sensitive intellectual property. Yet even at the enterprise level, we still see weak and reused credentials - and that’s an open invitation to attackers," says Karolis Arbaciauskas, head of product at NordPass.

The top 20 not-so-secret enterprise passwords

The research highlights how small businesses, mid-sized firms, and enterprises are using login details that would make any attacker’s job easy. Among the worst offenders are familiar classics like “123456”, “password”, and “11111111”, as well as company-related phrases and predictable number patterns.

Small businesses showed particularly casual habits, with passwords such as: 123456, ABCDEF, seila98, rally95fo, prestashop_demo, user@123, studlgu$$, Abcd1234, regalo111, and many more predictable passwords.

Enterprises, despite greater resources and higher stakes, were far from immune. Here are the top 20 not-so-secret passwords:

1. 123456789
2. 123456
3. 12345678
4. 11111111
5. 123123
6. 00000000
7. password
8. a123456
9. 12345
10. 1234567890
11. a123456789
12. 88888888
13. qq123456
14. 123321
15. 000000
16. 987654321
17. woaini1314
18. FQRG7CS493
19. 123456789a
20. P@ssw0rd

Why it matters

Weak or reused passwords remain a primary cause of breaches, phishing success, and credential-stuffing attacks. For small businesses, it could mean operational downtime or reputation loss; for enterprises, the stakes include regulatory fines, supply chain exposure, and significant financial damage.

The fix is simple, but often overlooked:

• Ban default and predictable passwords. Companies need to enforce strong password policies, requiring complexity and regular updates to keep accounts secure.
• Train staff regularly on cybersecurity basics. Employees remain the biggest entry point for attackers. Regular workshops and reminders about phishing, password hygiene, and safe sharing practices can drastically reduce risks.
• Use a business-grade password manager. Password managers allow companies to securely store, share, and generate strong credentials. They also help avoid risky habits like writing down passwords or reusing them across multiple platforms.
• Move toward passkeys and multi-factor authentication. MFA adds an extra layer of protection by requiring additional verification, while passkeys are an even stronger, passwordless option that’s gaining traction in enterprise security.

"Whether you’re a two-person start up or a multinational, your cybersecurity is only as strong as your weakest password," Arbaciauskas adds. "It’s time to treat credentials with the same care as your most valuable assets."

Story issued by Gabriele Gecaite, Nordpass Public Relations.