According to a new report from password manager and VPN service Nord Security, high-level executives use weak, easy-to-crack passwords, just like everyone else. In fact, as well as not bothering to protect their own, or their companies’, security, they seem to have a weird preference for fantastical creatures. “Interestingly, the study showed that top executives also extensively use names of people (i.e., Tiffany, Charlie, Michael, Jordan) and mythical creatures or animals (i.e., dragon, monkey) in their passwords,” Patricija Černiauskaitė of Nord Security told Lifewire via email.

Too Busy to Care

So why are execs so bad at passwords? Like the rest of us, they think they have more important things to do. “Executives are inundated with questions and information and also are asked to make split-second decisions on a range of topics. Even if they came up with a rudimentary mapping approach to passwords (e.g., “same password + fin@nce” for finance sites; “same password + s0c1al” for social sites), the last thing they want to do is interrupt their thought process by having to think about a specific password for a specific site,” 1Password CTO Pedro Canahuati told Lifewire via email.  The result is that the top password used by high-level office-dwellers is 123456, followed by the old classic: password. We know passwords are important, but that doesn’t make them any easier to remember. At home, writing them on paper is as secure as anything, but in the office, that’s obviously a bad idea. But is it the fault of employees—at any level— or should a company’s IT department be taking care of training and managing this? After all, try to think of another area in business where the consequences for failure are so dire, but the employees are allowed to just wing it.  “I believe that if more people are shown by their company how to simplify the complex world of password retention with examples, training, and tools, people would be more receptive to implementing strong passwords,” Chris Lepotakis, senior associate at global cybersecurity assessor Schellman, told Lifewire via email. “In my personal experience, I have seen this to be a lacking area that more companies should consider improving upon in their security training curricula for employees.”

The Answer

The answer is to mandate the use of a password manager of some kind. There are plenty of services to choose from, and they integrate with browsers and other software. A password manager generates secure passwords, remembers them, and fills them in automatically when you need them.  All the user has to do is remember a single password or passphrase, the one needed to unlock the password manager app. Surely corporate systems could be locked down so that passwords could only be entered via a password manager app like NordPass or 1Password, thus removing the lazy human from the equation? But, of course, there’s a problem here. Us lazy humans will just pick 123456 or poochie89 as the master password, which could lay bare their entire collection of passwords with one well-aimed social engineering attack. On the other hand, it’s possible to tie this master password to a physical token of some kind, like the user’s phone or a security key. 

Is Anyone Good at Passwords?

While researching this article, I asked respondents whether there are any groups that are actually good at password security. I thought that perhaps security professionals, or IT people, might do better.  The answers were mixed, but most said there’s no group that stands out, although thankfully, IT security people at least know what they should be doing.  “I can honestly say that most security teams for all organizations really do seem to handle password security better,” says Lepotakis, “but I would not say that is consistently true. I think this really does harken back to my original statement in the section about executives. We are all still human, and people either make mistakes or forego appropriate security to make their lives easier.” The takeaway from all this is that you should use a password manager, take the time to create, learn, and remember a strong master password, and never tell it to anyone. Should be easy enough.