Despite handling billions in transactions and safeguarding highly sensitive data, many financial institutions are relying on woefully weak and easily guessable passwords.

New research by NordPass, in collaboration with NordStellar, reveals a shocking lack of basic password hygiene across banks, fintech platforms, and other financial service providers.

The study uncovered credentials like “123456,” “password,” and even “user@123” protecting critical internal systems, accounting software, employee email logins, and demo accounts. In some instances, default passwords such as “demo” and “secret” were still in use, representing glaring security holes.

“Finance is one of the most targeted industries for cybercrime – and yet many of the passwords we found wouldn’t pass a basic security audit,” states Karolis Arbaciauskas, head of business product at NordPass. “With sensitive financial data on the line, outdated password practices are a major liability.”

The research highlighted a troubling reliance on simple numeric sequences, common terms, and personal or company-related names. Here are the top 20 most common passwords discovered in the finance sector:

ABCDEF 123456 user@123 12345678 Mikeross69 secret password P@ssw0rd demo Okere@770! 12345 Karra0915 123456789 gadai123! Sparsh@22 ccissexy Hulela06* abc123 [email protected] !Welcome2022

These easily cracked credentials, including a pop-culture reference like “Mikeross69,” are guarding access to systems that, if compromised, could lead to massive data leaks, severe reputational damage, and hefty regulatory penalties.

To bolster cybersecurity, Arbaciauskas strongly recommends avoiding personal names or company references in passwords, educating all staff on modern password hygiene, utilizing strong, unique passwords stored in a business-grade password manager, and, crucially, enabling multi-factor authentication (MFA).

“Trust is the currency of the finance world – and it’s easily lost through one weak password,” Arbaciauskas warns. “It’s time for finance leaders to take password security as seriously as fraud prevention or compliance.”

