If you assumed the people running companies pick stronger passwords than everyone else, the data has bad news. NordPass keeps finding the same answer year after year: the C-suite is just as guilty as everyone else.
What Got Lost in an Uber and What That Has to Do With Passwords
Uber just released its annual list of the weirdest things people lost in... well, Uber.
Reading through it feels like following a thrilling story, most likely ending in a serious hangover.
A few highlights of what was lost in Ubers all over the world: a Viking drinking horn (practical), Shrek ears (definitely something you might need, though not sure when or why), or even an aquarium (we don't know how big it was, but... how?!).
Anyway!
One of the things people were losing the most? Legal documents.
Which got me thinking: How often do we casually leave sensitive data at the mercy of the world around us?
Take passwords, for example.
Can you guess the password most often used by C-levels according to NordPass?
123456
Brilliant.
And it's not just small businesses making questionable choices and therefore risking a data breach incident. Check out this neatly visualized data on The misfortunate passwords of Fortune 500 companies.
Some key takeaways:
🔥 20% of passwords were literally the company's name (or a slight variation).
🔥 "Password" is still one of the hottest password picks across all industries.
🔥 HR topped the charts with the highest Unique Password Percentile at 31%.
Why the Top of the Org Chart Is the Easiest Target
The NordPass research, conducted with independent researchers across more than 290 million data breaches, has now found 123456 at the top of the C-level list five years running. The single password 123456 was logged over 1.2 million times in the most recent corporate dataset. That matters because executive accounts often have broader access than rank-and-file accounts: payroll, financial systems, HR records, contracts. The combination of weak password plus elevated privileges is exactly what attackers look for. The Fortune 500 study referenced in the original makes the same point at scale - even at the world's largest companies, predictable picks like the company name or "password" still dominate.
A 4-Step Password Hygiene Fix for Your Office
Roll out a password manager company-wide. 1Password, Bitwarden, and NordPass Business all work. Make it the default, not the optional add-on.
Turn on multi-factor authentication for every critical system, starting with email, HR, and finance. MFA blocks most of the damage even when a password leaks.
Run a "have I been pwned" check on company emails quarterly. The site is free and surfaces accounts caught in known breaches.
Replace the annual "change your password" mandate with a one-time push to long passphrases. Modern guidance favours passphrase length over forced rotation.
