After a Netflix documentary-worthy heist rattles Paris and dominates the news cycle, a new story has started to emerge: The password to the Louvre's video surveillance system was 'Louvre'...
Before we begin, there is absolutely no doubt that the Louvre is not the only organisation out there with a questionable password or two, and it's fair to say that the heist itself was carried out professional criminals (they were in and out in less than 8 minutes). But in the wake of this meticulously executed crime which has dominated headlines, there's a lesson to be learned here, especially for the wider world of business.
France’s national cybersecurity agency found the Louvre’s systems to be outdated, vulnerable, and frankly “trivial” to bypass in 2014 and 2015 yet 10 years later they found that much of that infrastructure remained in use.
‘123456’, ‘admin’, and ‘password' among the most used passwords of 2025...
That's according to Comparitech's latest study of over 2 billion real account details recovered from leak forums,
A weak password is an open door for attackers. They don’t need cryptographic tools or advanced exploits; if its predictable enough, or reused password is enough to break through your defences. From there, the impact can spread quickly across systems, data, and networks, causing real and lasting damage. Once inside, attackers can:
-
-
Steal funds and cause immediate financial losses
-
Disrupt operations and bring business to a halt
-
Undermine customer trust and reputation
-
Exploit sensitive data for leverage or competitive gain
And with the global average cost of data breaches reaching $4.88 million it’s impact can cost businesses large or small.
The play: Get the basics right!
Ensuring your team understands the severity of cyber risks to ensuring that multi factor authentication is a requirement.
“Weak passwords can be cracked in seconds. The longer and more unusual your password is, the harder it is for a cyber criminal to crack.” - National Cyber Security Centre (NCSC)
- Enable Multi-Factor Authentication (MFA): 99.9% of compromised accounts don’t have MFA enabled. It’s the cheapest insurance policy you’ll ever buy.
- Train your people: Your team is your first line of defence. Make security awareness part of the culture, not a once-a-year slideshow.
- Use a password manager: Stop relying on sticky notes and memory. Password managers generate and store strong, unique logins for every system.
- Use a passphrase: The National Cyber Security Centre recommends three random words — long enough, strong enough, and easy to remember.
With any luck you have already taken the first steps to creating a safer environment for your business both from an IT and culture perspective. So next time you visit the Louvre, at least take comfort knowing your passwords aren’t on display.
But it doesn't stop with a strong password, and what often trips up businesses when the threat actors come knocking is the broader complexities they look to exploit.
Cybersecurity is a business-wide responsibility. Internal teams can’t be expected to identify and close every gap on their own, which is where a vCISO adds real value.
A virtual Chief Information Security Officer provides your business with access to senior-level expertise, without the overhead of a full-time hire. They work closely with your leadership and teams to develop a clear, actionable security strategy, prioritising risks, closing gaps, and creating a roadmap that keeps your organisation protected today and ready for tomorrow.
