When it comes to businesses that use weak passwords to secure critical systems and customer data, retailers are frequent offenders, according to data in a new study by password management company NordPass, in collaboration with NordStellar. The study found that retail companies, including e-commerce giants and brick-and-mortar chains, use “alarmingly weak” passwords.
The research found that login credentials like “123456,” “P@ssw0rd,” and “email@123456” were found across internal platforms, point-of-sale systems, employee accounts, and even vendor access portals. Some entries like “Kabum@00” and “Amzn5452” hint at company-specific or brand-related phrases, which is a risky shortcut that attackers often exploit.
“Retail is one of the most targeted industries for cyberattacks, particularly during peak sales periods and holidays,” says Ignas Valancius, Head of Engineering at NordPass. “Yet many businesses still rely on credentials that are either default, reused, or shockingly easy to guess. That’s a recipe for a breach.”
Many of the weakest passwords used by retailers follow simple numerical patterns or include personal names or brand identifiers. NordPass has listed the 20 most common ones:
- 123456
- fer1010
- nfer161280
- 12345678
- Kabum@00
- email@123456
- Amzn5452
- 12345
- student
- 123456789
- Pink0525!
- 1234
- Westgate645
- password
- Olliehen110
- 11111111
- P@ssw0rd
- 111111
- Sultan@310768
- Francine0812
These passwords, says NordPass, were often tied to employee logins, inventory management systems, CRM tools, and POS devices, all of which are critical to day-to-day retail operations. In the wrong hands, access to even one account could lead to stolen customer data, fraudulent transactions, or business disruption.
Cybercriminals frequently target retail because of the high volume of sensitive information, including payment data, personal details, and supply chain access, NordPass advises.
Valancius recommends that retail companies take a variety of steps to strengthen their defenses. First, ban the use of generic or brand-related passwords. Entries like “Amzn5452” or “Kabum@00” may feel clever but are often easy for attackers to guess. Educate staff at all levels, including seasonal hires. Everyone should understand the basics of password hygiene and security protocols. Implement a password manager for teams, which will make it easy to generate and store strong, unique passwords across systems. Also consider using passkeys, which can help prevent many attack vectors and secure sensitive data.
“Retailers work hard to earn customer trust,” Valancius advises. “But a single compromised password can cost more than lost sales, it can lead to lasting brand damage. Stronger password policies are the first step toward retail-ready cybersecurity.”