Companies and individuals should take a lesson from US water utilities and choose something other than “1111” as their password for internet-accessible devices.

According to Fast Company, the National Security Council said a recent attack on US water utilities by Iran-backed hackers targeted extremely novice security mistakes. While the attack did not compromise critical systems, the outlet reports that the devices that were compromised were using the default “1111” password.

“We’re seeing companies and critical services facing increased cyber threats from malicious criminals and countries,” Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, told Fast Company. 

Unfortunately, US water utilities are hardly unique in their use of weak passwords. In fact, according to NordPass, the vast majority of the top 200 passwords take less than one second to crack. Below is the top 10, all of which can be cracked in under a second:

• 123456
• admin
• 12345678
• 123456789
• 1234
• 12345
• password
• 123
• Aa123456
• 1234567890

Weak passwords clearly are still a widespread issue, but it is somewhat concerning that critical infrastructure is plagued by the problem as well. As Neuberger told Fast Company, there’s still much to do to improve the situation.

“Clearly, by the most recent success of the criminal cyberattacks, more work needs to be done,” she said.