McDonald's is not lovin' your bigmac, happymeal, and mcnuggets passwords
- Reference: 1770051953
- News link: https://www.theregister.co.uk/2026/02/02/mcdonalds_password_advice/
- Source link:
McDonald's Netherlands operations took the opportunity on Sunday to let customers know that, when it comes to choosing a password that's easy to remember, they ought not to pick the names of its products like hundreds of thousands of other people around the world.
Drawing on data from Have I Been Pwned, McDonald's [1]said that "bigmac" and its leetspeak variants were found more than 110,922 times in the site's compromised password corpus. Other products, like "happymeal," "mcnuggets," and the generic-but-still-applicable "frenchfries" were also common, and when special character substitutions are included they occur even more frequently.
[2]
It's not unusual for internet users to take an easy-to-remember word or two and swap out an @ for an A, a 1 for an I, or other substitutions – which is part of the point McDonald's is trying to make.
[3]
[4]
[5]Youtube Video
The video also shows advertisements placed in Dutch subway stations and other public spaces informing burger lovers that even though Ch!ck3nMcN4gg€t$ might seem like a great password, it isn't.
[6]
"You're lovin' it," McDonald's tells passers-by, "but hackers too."
Simple character substitution may have been good advice back [7]at the turn of the century , but nowadays world+dog knows the basic rules for such swaps, meaning they're not a great idea, and a brute-force attempt to crack an account is going to have all of those substituted passwords in its dictionary of stuff to try.
[8]Researcher who found McDonald's free-food hack turns her attention to Chinese restaurant robots
[9]McDonald's not lovin' it when hacker exposes nuggets of rotten security
[10]iFixit to the rescue: McDonald's workers can rescue their own ice cream machines
[11]McDonald's not lovin' its AI drive-thru experiment with IBM
And while El Reg readers are tech-savvy enough to use long passphrases, randomized passwords, biometrics, MFA and a password manager - making life difficult for the legions of cybercriminals relying on laziness to break into accounts - most people aren't.
As Google noted last summer, [12]most normies are still relying on old-fashioned security measures, like nothing but a password and maybe a second authentication factor if their IT administrator is lucky. Many resist moving beyond the password as the be-all, end-all of account security.
The younger generation isn't any better – Google notes they might make more use of modern security tools, however, their passwords are still by and large [13]the same garbage that everyone's been using since the dawn of the internet.
[14]
123456 and password? Some admin users are guilty of this too.
So following Change Your Password Day 2026, let's all take a tip from the Golden Arches and keep those passwords a bit more secure, but don't stop there. Implement all the account security [15]best practices you can find while you're at it. ®
Get our [16]Tech Resources
[1] https://www.prnewswire.com/news-releases/bigmac-frequently-used-as-a-password-mcdonalds-draws-attention-to-predictable-logins-302675740.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYEskQQAU4P7GIN-xSBHgwAAAVU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYEskQQAU4P7GIN-xSBHgwAAAVU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYEskQQAU4P7GIN-xSBHgwAAAVU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.youtube.com/watch?v=T4IcbQIyjCM
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYEskQQAU4P7GIN-xSBHgwAAAVU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2004/05/28/password_advice/
[8] https://www.theregister.com/2025/08/29/pudu_robots_hackable/
[9] https://www.theregister.com/2025/08/20/mcdonalds_terrible_security/
[10] https://www.theregister.com/2024/10/29/copyright_office_mcdonalds/
[11] https://www.theregister.com/2024/06/17/mcdonalds_ai_drivethru/
[12] https://blog.google/innovation-and-ai/technology/safety-security/google-survey-digital-security-2025/#:~:text=Security%20practices%20differ%20by%20generation,move%20away%20from%20legacy%20methods.
[13] https://www.theregister.com/2025/11/18/zoomer_passwords/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYEskQQAU4P7GIN-xSBHgwAAAVU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.nist.gov/cybersecurity/how-do-i-create-good-password
[16] https://whitepapers.theregister.com/
> realtek 8019
Yeah, a "real" tech would use the MD5 Hash!
=> a230e35259613fb10caa90b45d39e987
[Icon: I've really gotta get out more...]
Why would any sentient being make an account at any big corp?
Because they have good food and you go there all the time? (Obviously I'm not talking about McDonald's)
It's easier at one of the local restaurants to sit at a table and order online than stand at the counter and order. You sit down, scan the QR for your table, and their ordering website is really well done and easy to use. I've been waiting for them to screw it up, but they actually implemented two of my suggestions for improvement.
Also keeps me from punching the fucktards that stand 20ft from the counter then insist they're in line when I step up.
"You sit down, scan the QR for your table, and their ordering website is really well done and easy to use."
I've dated a few nice ladies that were working as waitresses at local restaurants. You won't see a QR code for that.
Complex passwords are only relevant if the database or hashes get dumped
Therefore I am going to rely on megacorps infosec team to do their job and I will stick with 'nugget2nugget'. Its a risk I am willing to take!
Re: Complex passwords are only relevant if the database or hashes get dumped
Before you trust your favourite web service to have sensible rate-limiting on login, stop and think about the last time you couldn't login because somebody else was already trying to
Insanity
Nobody, NOBODY should ever need a password to order a goddamn hamburger.
That everyone just accepts the absurdity of this situation is... insanity.
Now where are my Big Ass Fries?©®™
Re: Insanity
The vast majority of online activities have no need for a password. It's just that the people who run these bloody place can't bear the idea of anyone purchasing their product anonymously.
That said... I will not use any retailer, food or otherwise, who both maintain a physical retail space and require me to use a mobile phone to purchase things.
I know other people's tastes differ. These are mine.
Re: Insanity
This makes me wonder what the Donalds password is, as he is reported to like this stuff.
On the flipside
The McDonalds apps insists on 2FA just so I can avail of some stupid hamburger deal. If there was any reason their app had to be protected for some niche reason (e.g maybe some people order through the app) they should protect that rather than the innocuous stuff, i.e. Sometimes security has to be proportionate to what it is protecting.
Re: On the flipside
"Sometimes security has to be proportionate to what it is protecting."
And when it comes to your wallet, I'd say that was worth protecting.
Re: On the flipside
"And when it comes to your wallet, I'd say that was worth protecting."
So maybe it's much safer to just pay cash when you are keen on poisoning yourself.
"Double/Double with grilled onions, light tomato and a large pink lemonade". No fries, but it would be great if you started selling cookies, Lynsee!
Re: On the flipside
> Lynsee
Didn't she used to work down the local restaurant? Nice lady. A waitress, no QR code IIRC. Just cash you say? :D
Ho Hum
A) So McDonald's sudden interest in password security includes looking at the passwords. Bork!
B) I don't care if someone were to use my McD account to order food that they pay for.
C) Garbage in.
Re: Ho Hum
> So McDonald's sudden interest in password security includes looking at the passwords. Bork!
I think you might have misunderstood. They looked at known compromised passwords. eg. "bigmac"
>> Drawing on data from Have I Been Pwned, McDonald's said...
Re: Ho Hum
> So McDonald's sudden interest in password security includes looking at the passwords.
So can you, or anybody. "Drawing on data from Have I Been Pwned , McDonald's said...."
It may be narcissistic to look for yourself in Have I Been Pwned, like Googling yourself, but it's not a security breech.
EDIT: ninjaed 3 minutes by Pickle Rick.
Re: Ho Hum
> It may be narcissistic to look for yourself in Have I Been Pwned
For a good number of commentards I'd say it's professional due diligence.
> EDIT: ninjaed 3 minutes by Pickle Rick.
Ninjas! They're everywhere!
Best password is no password?
Long ago, when dial-up was precious, the university made us log-in on the dial-up servers. Keep the non-matriculated riff-raff out. This was very important to them!
I was helping Floyd with another problem and asked him to connect.
Flink-flink he was in! I was logging into dialup a dozen times a day and I knew he could not type that fast.
He explained that when it prompted "PASSWORD?" he could just press ENTER and he was in.
When I tracked down who was in charge of the dial-ups he was like OMG WTF and thanked me profusely.
I would never use bigmac as a password, or happymeal.
It would be like using realtek 8019 or 8139 as a password...