Why Do Critical Systems Still Use 'admin/123456'? Lessons from Ukraine’s Military Breach

In 2020, the overused password "123456" appeared in more than 5 million leaked password lists, representing nearly 3% of users, while the obscure password "ji32k7au4a83" sparked recent discussion on its frequency.

Have I Been Pwned offers a "Pwned Passwords" service that records 551,509,767 real passwords exposed in data breaches; a query for "123456" returns 23,174,662 occurrences.

Although individual users may be cautious, the article questions whether organizations—especially at the military or national level—use even stronger passwords, citing the Pentagon as a notorious target.

Media reports disclosed that Ukraine’s armed forces’ “Dnieper” military automation control system protected its servers with the primitive credentials admin / 123456 .

The same weak pair ranked first and eleventh in the 2017 "Top 100 Weak Passwords" list, and many account systems now prohibit such passwords during registration.

The vulnerability allowed adversaries to scan Ukrainian military information freely until the summer of 2018, as demonstrated by the attacker’s test files.

In May 2018, Ukrainian cyber‑unit specialist Dmitry Vrachok discovered that numerous servers could be accessed with the default credentials "admin 123456," enabling even low‑skill hackers to reach switches, routers, printers, and scanners, and to extract large volumes of confidential data about operations in Donbas.

Although Vrachok reported the issue to the National Security and Defense Committee and the Ukrainian intelligence agency, the report was initially ignored. After more than a month, the Ministry of Defense ordered a ban on weak passwords and periodic checks, yet some IP‑related security concerns were dismissed.

In a July test, devices with default credentials remained accessible, and in some cases computers could connect to the defense network without any password.

Consequently, for nearly four months, many defense‑department servers and workstations continued to use the simple credentials "admin" and "123456".

Security experts recommend three password guidelines: (1) length of at least eight characters; (2) no obvious patterns; and (3) inclusion of at least three character types such as letters, numbers, and special symbols.

The article invites readers to share their own password‑creation tips.