Password Hall of Shame: Real Weak Passwords in Real Systems

Researchers discovered that the backend of a McDonald's AI-powered hiring chatbot was accessible using an admin login with the password 123456. The backend exposed access to a large amount of job applicant data, including personal information submitted by people who thought they were applying for a job.

123456 has topped every "most common passwords" list for over a decade. It's the first thing any attacker tries. And yet it was protecting a production system handling real applicant data for one of the largest employers in the world. The most famous weak password in the world still works — because default credentials get deployed and never changed.

In the 2021 Oldsmar incident, someone remotely accessed a Florida water treatment plant's control systems and briefly changed chemical levels to dangerous concentrations. Investigations revealed the facility was using remote access software with a password shared among multiple employees, on a network with limited segmentation. An operator caught the change in time and reversed it.

A shared password means no accountability and no revocation. When a shared credential is compromised — whether by a former employee, a breach on another system, or direct attack — you can't rotate it quietly. Everyone using it has to be notified, and any of them could have been the leak. In critical infrastructure, "shared password" is a class of failure, not just a weak password.

Colorado's Secretary of State office accidentally published a spreadsheet to a public website that contained hidden tabs with still-active passwords for some of the state's voting systems. The spreadsheet was intended for public release, but the hidden tabs were not scrubbed before publication. The passwords were discovered by a member of the public who knew to look for hidden sheets.

"Hidden tab" is not access control. Spreadsheets are deceptively porous — hidden columns, hidden sheets, and embedded metadata all survive exports that look clean on the surface. This is particularly acute because spreadsheets are often used as informal credential stores in organizations that haven't moved to proper secrets management. The file looked fine. It wasn't.

Breach data consistently shows that when organizations enforce complexity requirements (uppercase, lowercase, number, symbol), users respond by applying predictable transformations to simple words: Password becomes P@ssw0rd, then P@ssw0rd1, then P@ssw0rd1!. The password passes every filter. It cracks in seconds because every cracking tool includes these exact transformations in its ruleset.

This isn't a single incident — it's a pattern observed across hundreds of millions of cracked credentials. It's what happens when complexity rules meet human psychology at scale.

Complexity requirements were designed to force randomness. Instead, they forced legibility — short, memorable words with just enough symbols appended to satisfy a filter. The password looks strong. The strength meter might even turn green. But attackers precompute these transformations. A word with substitutions is barely harder to crack than the original word.