We are gathered here today to say goodbye to a legend.
Not a good legend. Not a safe legend. But a legend nonetheless.
Password123 — or, as some knew you, password!, P@ssword1, or the season-and-year variation taped to an office monitor — you were the little credential that could. You were easy to remember. You were easy to type. You asked almost nothing of us.
You were also, and we say this with love, catastrophically bad at the one job you were given.
“Password123 was never the whole problem. It was the symptom of security being treated as something to get past.”
A life lived in plain text
You were born from a simple human truth: nobody wants to invent a secure new credential at 9 a.m. on a Monday when they are just trying to open the invoicing system.
You were there when we signed up for software we barely used. You were there when the password-reset prompt demanded a capital letter, a number and a symbol, and we simply capitalised the first letter and added an exclamation mark. You were there when the Wi-Fi password became the company name followed by the year the business opened.
You asked nothing of us. You judged no one.
And attackers were delighted by your hospitality.
The numbers, since we are here
The NordPass and NordStellar 2025 common-password report, based on aggregated data from public breaches and dark web repositories, placed 123456 at the top of the global list again. It has led the report in six of its seven editions. The word password remains among the usual suspects.
So let us remember a few of the colleagues who shared your particular approach to protection:
- 123456 — less a lock than a welcome mat.
- qwerty — a keyboard warm-up exercise masquerading as security.
- password — honest about its purpose, unhelpful in every other way.
- admin — the default that refused to retire.
- CompanyName2026! — technically decorated, spiritually unchanged.
You were in good company, Password123. Terrible, terrible company.
The five stages of password grief
“Nobody is going to target me. I run a small business. I am not interesting.”
“Why do I need a capital letter, a number and a symbol? It is only a login.”
“What if I add our founding year? That is basically different.”
The moment a staff member cannot access an account, nobody knows who controls the recovery email, and the person who set it up left two years ago.
Fine. We will use a password manager. We will turn on multifactor authentication. We will stop sharing the same login over email.
What you leave behind
In your wake, Password123, you leave a complicated legacy.
You leave behind sticky notes on monitors. You leave behind spreadsheets called Passwords – Do Not Share that have somehow been shared with the whole team. You leave behind the person in every office who has to walk over and type a password personally because “it is complicated.” It is not complicated. It is just embarrassing.
You also leave behind a real business risk. Email, billing systems, cloud storage, website accounts and social media pages are all places where one compromised login can create expensive confusion very quickly.
The point is not to blame people for choosing memorable passwords. The point is to stop building business access around the hope that everyone will remember a different, excellent password for every system they use.
What should replace you
The funeral is funny. The replacement plan should be practical.
CISA recommends that small and medium-sized businesses require strong passwords, use a password manager and pair passwords with multifactor authentication. Its guidance is refreshingly simple: weak or stolen passwords are one of the easiest ways attackers get into business accounts.
Here is what that looks like in practice:
You do not need to do all of this at once. Start with a password manager and MFA on your email account. Those two changes address the majority of credential-related risk for a small business.
The bottom line
Here is the truth we must speak over your grave, Password123: you were never the whole problem. You were what happened when security was treated as somebody else’s job, or as a task to finish quickly before the real work could begin.
For a small business, a safer setup does not need to mean an elaborate security programme. It can begin with a password manager, MFA on critical accounts, individual access for staff and a clear record of who owns what.
So rest, old friend. The world is slowly moving toward passkeys, stronger authentication and login systems that do not ask one easily guessed word to protect an entire business.
We will always remember you. Particularly on the day somebody suggests using you again.