Belgian employees often choose passwords that are easy to remember, but also easy for hackers to crack.
Is your company account password strong enough? A study by Spotit involving over 67,000 Belgian employees reveals that 58 percent of company passwords can be cracked within an hour. Predictable patterns such as the company name combined with a year remain particularly popular.
read also
Made in Belgium: quality label for security?
Commonly Used Passwords are Predictable
The ethical hacking team at Spotit, a Belgian cybersecurity company, examined the strength of passwords from 67,557 employees at small, medium, and large Belgian companies. The results show that 6 out of 10 passwords (39,346 in total) can be discovered in less than an hour using ‘password cracking’ techniques.
Commonly used passwords like Welcome2025, Companyname2025 or Summer2025! contain predictable patterns. These make it easy for hackers to automatically test combinations. “We see that employees often choose short, easy-to-remember passwords, which significantly increases the risk of a successful attack,” says Keanu Nys, Offensive Security Lead at Spotit.
Passwords appear to be weaker at multinationals than at SMEs. In 60 percent of cases, Spotit managed to crack a password at large companies. For smaller organizations, this was 40 percent. A possible explanation is the number of outdated accounts that are still active. When accounts of former employees are not removed in a timely manner, additional risks arise.
These are the most popular, and easily crackable, passwords for company accounts that Spotit encountered:
| Onboarding passwords | Variations on company names | Seasonal passwords |
| Welcome2025 | Companyname2025 | Winter2025 |
| Welcome2025! | CompanyName2025! | Summer2025! |
| Welcome@CompanyName! | C0mp4nyN4m3! | Autumn2025! |
Fourteen Characters
Spotit advises companies to technically enforce the use of longer passwords for their employees. A secure company password should consist of at least fourteen characters. Additionally, it’s important to avoid predictable patterns such as company names and years, especially for mandatory password changes. Also follow our tips for the perfect password.
Other recommendations include mandatory implementation of multi-factor authentication (MFA), blocking commonly used passwords via a blocklist, and the use of passkeys: the system designed to replace passwords. Finally, educating and raising awareness among employees remains crucial. Regular tests and training help to increase awareness of cyber risks.
With the emergence of stricter regulations such as the NIS2 directive, the importance of a solid password policy is growing. However, practice shows that technical measures alone are not sufficient as long as users remain the weak link in the chain.