Weak passwords in Spain: a costly compliance risk

Published on May 15, 2026 | Translated from Spanish

The latest report from NordPass and NordStellar, based on the analysis of 2.5 terabytes of leaked credentials, reveals that the most popular passwords in Spain are a disaster for cybersecurity. Keys like 123456, admin, or 12345678 are hacked in less than a second, and are identical to those in Mexico or China. In 2024, over 27,000 Spaniards used 123456, exposing their data and that of their companies to an evident regulatory risk under the GDPR.

Map of Spain with broken padlocks and leaked data, concept of cybersecurity and regulatory compliance

Technical analysis: reuse patterns and exposure time 🔐

Convenience is not a legal excuse. The report shows that 97% of the top 100 most hacked passwords globally have fewer than 12 characters, and combinations like Nacho2006 or Talocha1 offer a false sense of security. From a digital compliance perspective, reusing these keys across multiple services (banking, email, HR) is a direct violation of the integrity and confidentiality principle of Article 32 of the GDPR. A 3D infographic could visualize how a brute force attack cracks 123456 in 0.3 seconds, while a robust 16-character key raises that time to centuries, a critical fact for security audits.

3D solutions and regulatory risk scenarios ⚖️

The solution is not only technical but also governance-related. Implementing biometric verification (fingerprint or facial recognition) and two-factor authentication (2FA) not only protects data but also demonstrates due diligence before an AEPD inspection. Let's simulate a scenario: an employee uses admin in the corporate CRM. A cyberattack leaks customer data. The penalty for non-compliance with the GDPR can reach 20 million euros or 4% of annual turnover. Investment in cybersecurity ceases to be an expense and becomes a mandatory compliance item.

How can a Spanish company demonstrate regulatory compliance in data protection if more than 80% of the breaches analyzed by NordPass originate from weak passwords like 123456 or password, and what specific GDPR penalties could it face for not implementing robust credential management policies?

(PS: The SCRA is like autosave: when you fail, you realize it existed)