Swipe Your Card, Steal Your Data: Retail’s Weakest Passwords Revealed

Retailers may be masters of sales, but when it comes to cybersecurity, many are leaving the doors wide open. A new study by NordPass, in collaboration with NordStellar, reveals that companies in the retail sector — from e-commerce giants to brick-and-mortar chains — are using alarmingly weak passwords to protect critical systems and customer data.

The research uncovered a worrying trend: login credentials like “123456”, “P@ssw0rd”, and “email@123456” were found across internal platforms, point-of-sale systems, employee accounts, and even vendor access portals. Some entries, such as “Kabum@00” and “Amzn5452,” hint at company-specific or brand-related phrases — a risky shortcut that attackers often exploit.

“Retail is one of the most targeted industries for cyberattacks, particularly during peak sales periods and holidays. Yet many businesses still rely on credentials that are either default, reused, or shockingly easy to guess. That’s a recipe for a breach,” says Ignas Valancius, head of engineering at NordPass.

The Top 20 Not-So-Secret Passwords In Retail:

The study found weak password habits across businesses of all sizes — from local retailers to large e-commerce platforms. Many passwords followed simple numerical patterns, personal names, or brand identifiers. Here are the 20 most common passwords found in the retail industry:

1. 123456
2. fer1010
3. nfer161280
4. 12345678
5. Kabum@00
6. email@123456
7. Amzn5452
8. 12345
9. student
10. 123456789
11. Pink0525!
12. 1234
13. Westgate645
14. password
15. Olliehen110
16. 11111111
17. P@ssw0rd
18. 111111
19. Sultan@310768
20. Francine0812

These passwords were often tied to employee logins, inventory management systems, CRM tools, and POS devices — all of which are critical to day-to-day retail operations. In the wrong hands, access to even one account could lead to stolen customer data, fraudulent transactions, or business disruption.

The Price Of Poor Password Hygiene

Cybercriminals frequently target retail because of the high volume of sensitive information, including payment data, personal details, and supply chain access. And while businesses often invest in customer experience and sales tech, password security is still lagging behind.

Valancius recommends that retail companies take the following steps to strengthen their defenses:

• Ban the use of generic or brand-related passwords. Entries like “Amzn5452” or “Kabum@00” may feel clever but are often easy for attackers to guess.
• Educate staff at all levels — including seasonal hires. Everyone should understand the basics of password hygiene and security protocols.
• Implement a password manager for teams. This makes it easy to generate and store strong, unique passwords across systems.
• Take it to the next level and use passkeys. Passkeys prevent many attack vectors and help to secure sensitive data.

“Retailers work hard to earn customer trust. But a single compromised password can cost more than lost sales — it can lead to lasting brand damage,” Valancius adds. “Stronger password policies are the first step toward retail-ready cybersecurity.”