惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

宝玉的分享
宝玉的分享
T
Threat Research - Cisco Blogs
H
Hacker News: Front Page
N
News and Events Feed by Topic
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
K
Kaspersky official blog
Forbes - Security
Forbes - Security
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
P
Privacy & Cybersecurity Law Blog
H
Heimdal Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
T
Tenable Blog
T
Tailwind CSS Blog
P
Privacy International News Feed
WordPress大学
WordPress大学
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
博客园 - Franky
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
C
Cybersecurity and Infrastructure Security Agency CISA
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
雷峰网
雷峰网
Vercel News
Vercel News
A
About on SuperTechFans
爱范儿
爱范儿
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
The Last Watchdog
The Last Watchdog
Engineering at Meta
Engineering at Meta
Spread Privacy
Spread Privacy
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园 - 司徒正美
量子位
博客园 - 三生石上(FineUI控件)
J
Java Code Geeks
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Martin Fowler
Martin Fowler
Project Zero
Project Zero

WeLiveSecurity

Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Fixing trivial passwords is as easy as 123456
Tony Anscombe · 2026-05-07 · via WeLiveSecurity

Digital Security

Fixing the password problem is as easy as 123456

How come it’s still possible to ‘secure’ an online account with a six-digit string?

07 May 2026  •  , 4 min. read

Fixing the password problem is as easy as 123456

The most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass’s latest annual report on passwords exposed in data breaches globally. Other all-too-predictable choices, such as ‘123456789’, ‘12345678’, ‘12345’ and ‘admin’, also prove to have staying power year after year.

My first instinct is to dismiss this as scaremongering fodder, especially given that poor password hygiene was also part of a community engagement session I presented at the recent RSAC conference, Let's Rant: 4 Things That Need to Change in Cybersecurity.

But since today is World Password Day, I had to put this to the test: Can I still find a reasonably mainstream website that allows me to create an account using ‘123456’ as the password? Unfortunately, the answer is yes.

There are popular sites, such as ‘evite’, that still allow this exact six-digit string to be used as a password. You may dismiss it as just an e-invite service, until you realize that you’re sharing personal data on your invitations and potentially manage the responses of all your invitees through an account that is not secure. The shocking part of this very crude test is the finding that Evite was subject to a data breach in 2019 that affected the personal information of over 100 million people. The company should probably know better than to allow its users to have such weak passwords.

The situation isn’t drastically better on even more popular services. When I attempted to create a new account on Facebook, the platform did mandate an additional level of password complexity. But still, a string as simple as ‘1234567!’ turned out to be a permitted password. X offered a similar experience.

Now, Facebook, for example, does offer some advice, such as: “avoid using common words such as ‘password’’ and “If your password isn’t strong enough, mix uppercase and lowercase letters. Make it more complex by using a longer phrase or series of words that you can remember but others won’t know.” Yet, it permits ‘1234567!’ to be used, no letters, just a sequential pattern with a simple exclamation mark at the end, all easily guessable, especially by automated scripts that test accounts en masse for commonly used patterns and strings.

Meanwhile, Collins Dictionary, which is home to far less sensitive content, forced me to create an eight-character password containing at least three of the following – lower case (a-z), upper case (A-Z), numbers (i.e. 0-9) and special characters (e.g. !@#$%^&*).

NordPass’s data suggests that there are many more sites that set limited password policies and allow trivial passwords like ‘123456’. However, I think there may also be elements of legacy in the method used to calculate the most common passwords. For example, if a company has existed for 10 years and never deleted any dormant user accounts, then a breach would include outdated dormant account information, some of which may be from before any password policy was enforced. The motivation behind publishing headline-snatching data is also clear: the vendors that create the news story are set to potentially benefit as they provide password management software for a subscription.

Breaking the cycle

Now, how do we resolve this never-ending loop of negativity about passwords, along with the ridiculous situation that platforms still permit non-secure passwords?

I do not support the idea of legislators needing to mollycoddle citizens, but in this instance I think it’s time for lawmakers to step up to the mark and put a stop to the pattern of companies not implementing stringent authentication policies and allowing consumers to take the easy option. There is widespread privacy legislation stating that companies need to secure our personal data if they store it, using appropriate reasonable cybersecurity measures. A core part of these measures is the use of strong, complex passwords and multi-factor authentication (MFA), as required by any self-respecting cybersecurity framework. Yet, in many instances there are no cybersecurity requirements on authentication for customer-facing services.

On the other hand, some industries have been forced to update to modern authentication methods. In the finance industry, for example, there are several regulations, such as the Payment Services Directive 2 (PSD2), that mandate MFA for electronic payments and access to payment accounts online.

Legislation should extend to all industries: simply enforce MFA for all accounts created online regardless of the service being accessed, ditch the outdated use of passwords, and move to more appropriate security for today’s internet.

The potential hurdle to mandating this approach is the barrier to entry for people creating accounts. Companies reliant on advertising or the collection (and sale) of personal data for revenue will lobby significantly against the move, and companies with big budgets will be very demanding that nothing steps in the way of profit, especially something like securing customer accounts by requiring a complex password and/or MFA.

For most of my 30-plus-year career in the cybersecurity industry, the issue of weak passwords has been a staple message pushed out every day, at many events, and on a specially nominated day. There is a simple and effective way to resolve it: mandate complex passwords or, better yet, MFA. Can we please stop the conversation about ‘weak passwords’, once and for all?

To generate strong passwords and learn more about online account security, head over to ESET’s password generator page.


Let us keep you
up to date

Sign up for our newsletters