Article Details

McDonald's is not lovin' your bigmac, happymeal, and mcnuggets passwords. Your favorite menu item might be easy to remember but it will not secure your account. Change Your Password Day took place over the weekend, and in case you doubt the need to improve this most basic element of cybersecurity hygiene, even McDonald's – yes, the fast food chain – is urging people to get more creative when it comes to passwords.  McDonald's Netherlands operations took the opportunity on Sunday to let customers know that, when it comes to choosing a password that's easy to remember, they ought not to pick the names of its products like hundreds of thousands of other people around the world.  Drawing on data from Have I Been Pwned, McDonald's said that "bigmac" and its leetspeak variants were found more than 110,922 times in the site's compromised password corpus. Other products, like "happymeal," "mcnuggets," and the generic-but-still-applicable "frenchfries" were also common, and when special character substitutions are included they occur even more frequently. It's not unusual for internet users to take an easy-to-remember word or two and swap out an @ for an A, a 1 for an I, or other substitutions – which is part of the point McDonald's is trying to make. Youtube Video The video also shows advertisements placed in Dutch subway stations and other public spaces informing burger lovers that even though Ch!ck3nMcN4gg€t$ might seem like a great password, it isn't. "You're lovin' it," McDonald's tells passers-by, "but hackers too."  Simple character substitution may have been good advice back at the turn of the century, but nowadays world+dog knows the basic rules for such swaps, meaning they're not a great idea, and a brute-force attempt to crack an account is going to have all of those substituted passwords in its dictionary of stuff to try. And while El Reg readers are tech-savvy enough to use long passphrases, randomized passwords, biometrics, MFA and a password manager - making life difficult for the legions of cybercriminals relying on laziness to break into accounts - most people aren't. As Google noted last summer, most normies are still relying on old-fashioned security measures, like nothing but a password and maybe a second authentication factor if their IT administrator is lucky. Many resist moving beyond the password as the be-all, end-all of account security. The younger generation isn't any better – Google notes they might make more use of modern security tools, however, their passwords are still by and large the same garbage that everyone's been using since the dawn of the internet. 123456 and password? Some admin users are guilty of this too. So following Change Your Password Day 2026, let's all take a tip from the Golden Arches and keep those passwords a bit more secure, but don't stop there. Implement all the account security best practices you can find while you're at it.