Every year, Change Your Password Day comes and goes with a lot of well meaning advice that most people ignore. This time, McDonald’s Netherlands found a way to make the message stick, and it did it with a slightly embarrassing stat. You see, according to data pulled from the breach tracking site Have I Been Pwned, the password “bigmac” has been used more than 110,000 times. Yes, really. That is over a hundred thousand people who thought naming their password after a fast food sandwich was a good idea.
McDonald’s decided to lean into the absurdity to make a serious point. People still choose passwords that are easy to remember, predictable, and often tied to things they like. Pets, kids, partners, hobbies, and favorite brands all show up again and again in breached databases. The problem is not just that these passwords are lazy. It is that attackers know exactly where to look first.
The Big Mac example is funny, but it is also a perfect illustration of how human brains work against security. People are tired of passwords. They want something they can remember without thinking. So they reach for familiar words, even when those words are shared by millions of other people. When one site gets breached, those passwords do not stay contained. They spread, get traded, and get reused in automated attacks across other services.
The data does not stop at Big Mac either. Other McDonald’s themed passwords apparently show up in the same datasets, including “frenchfries,” “happymeal,” and “mcnuggets,” all used tens of thousands of times. Many of them include numbers or special characters, but that does not really help when the base word is still obvious. Swapping an a for an @ or adding a 123 at the end does not make a password strong anymore, if it ever did.
This is where the message from McDonald’s actually lands, folks. It is not just about fast food passwords. It is about how outdated most people’s mental model of security still is. A lot of users think that as long as a password has a number and a symbol, it is fine. In reality, attackers do not guess passwords one at a time like in the movies. They run huge automated lists pulled straight from past breaches. If your password has ever existed in a leak, it is already on that list.
The rise in data breaches over the last few years has made this problem worse, not better. Every breach feeds the next one. Even people who think they are being careful can get caught if they reuse passwords across sites. One compromised forum account can lead to email access, cloud storage access, or even financial accounts if the same credentials are reused. That is how small mistakes turn into expensive messes.
What makes this campaign smart is that it does not talk down to people. It does not use fear or technical jargon. It just holds up a mirror and lets people laugh at themselves a little. If you would not put “bigmac” on your luggage as a lock combination, you probably should not use it to protect your online life either.
The reality is that strong passwords are no longer something most people should even be creating manually. Password managers exist for a reason. They generate long, random strings that you never have to remember, and they prevent reuse by default. Pair that with two factor authentication, and the entire risk profile changes. Suddenly, a leaked password alone is useless to an attacker.
Change Your Password Day is supposed to be a reminder, but reminders only work if they cut through the noise. Using a Big Mac as the example is silly enough to stick, and that might be exactly why this one works. If it gets even a small number of people to stop using brand names, pet names, or family names as passwords, it will have done more than most awareness campaigns ever do.
If you are reading this and even slightly wondering whether one of your passwords might be on that list, that is your cue. Change it. Better yet, change all of them and let a password manager handle it going forward. Your future self will thank you, and you will never have to worry about whether your login is being protected by a hamburger again.
