Site icon Sophos News

Kanye West tops the charts for year’s worst password pratfall

What do Nutella, the Pentagon, Kanye West and cryptocurrency owners have in common?
They’re all really really bad at passwords.
In fact, they’re the top four when it comes to password craptitude, according to an annual list of the worst password offenders put out by password managing app Dashlane. Dashlane released the list on Wednesday. It made us laugh and it made us cry.
Emmanuel Schalit, Dashlane CEO, had this to say in a press release:

Passwords are the first line of defense against cyberattacks. Weak passwords, reused passwords, and poor organizational password management can easily put sensitive information as risk.


Yup, word on that. Here are Dashlane’s top 10 most egregious password offenders for 2018, starting with the worst:

  1. Kanye West: Not only did he expose the president and the media to a 10-minute long, expletive-laced tirade at the White House in October, he also pulled out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that “our president should be flying in”… and casually unlocked it using the passcode “000000.” As we said at the time, it’s not just that it’s one of the easier passwords to guess – as in, any brute-forcing utility could spot it in fractions of a second. What’s worse is he did it in front of others, while being filmed. Doesn’t matter how tough a password nut you have to crack if you’re being filmed.
  2. The Pentagon: A scathing audit by the Government Accountability Office (GAO) found serious cybersecurity vulnerabilities in several of the Pentagon’s systems: admin passwords that took nine seconds to guess, for one thing, while other passwords were never changed from their factory settings. They found some vulnerabilities that were known but never fixed, and software for multiple weapons systems was protected by default passwords that anybody could find through a basic Google search.
  3. Cryptocurrency owners: According to Dashlane, they’re not all that great at remembering the passwords for their wallets. No wonder some of them have turned to hypnosis to try to unlock those piles of digital gold.
  4. Nutella: Here’s what not to do on World Password Day: tell your Twitter followers to change their password to “Nutella.” …mmmmm …advice that’s so nutty …so chocolatey …so smooth, harebrained and free of password entropy!Keep the luscious Nutella in your mouth and out of your passwords. Make sure to pick proper, tough, hard-to-guess passwords instead of popular brand names. Here’s how.
  5. UK law firms: Researchers discovered file dumps on the dark web that contained 1,159,687 email addresses. Eighty percent of the addresses were connected to leaked passwords and credentials from the UK’s top law firms. The researchers said that most of the credentials weren’t directly stolen from the law firms but were rather collated from third-party data breaches. Let’s hope that the lawyers changed their passwords to unique brutes after any and all of the big data breaches their credentials may have come from: their credentials are guarding a lot of highly sensitive data about court cases.
  6. Texas: Big state, big exposed data cache: 14.8 million voter records were found online, on a server, without a password. Bad? Yes.
  7. White House staff: Last year, Dashlane dubbed President Donald Trump the worst password offender for a slew of bad security habits, such as appointing a cyber security tsar – Rudy Giuliani – whose website had security holes and whose credentials had been hacked away. Meanwhile, his former press secretary, Sean Spicer, made the list for sending multiple tweets of what appeared to be his own cut-and-pasted passwords. This year, Dashlane passed the baton to a White House staffer who reportedly wrote his email login and password on official White House stationery, then left it at a bus stop.
  8. Google: Yup, even the Googleverse has a security black hole. This year, an engineering student from Kerala, India reportedly hacked one of the company’s pages and got access to the internal admin panel of YouTube’s Broadcasting Satellite and YouTube TV. The student didn’t even need to guess or hack credentials given that he didn’t need any. He says he logged in to the Google admin pages on his mobile device by using a blank username and password.
  9. United Nations: Look, we all appreciate that whole “protection of world peace” thing, but you really might want to start with protecting your own documents. UN staffers using Trello, Jira and Google Docs to collaborate on projects left secret documents up online, many of them unprotected by passwords. Anybody with the right link could have gotten at secret plans, international communications, and plaintext passwords.
  10. University of Cambridge: Remember all those personality quizzes that Facebook allowed to eat up users’ data – friends data, in particular, in spite of Facebook having limited the data on users’ friends that developers could get at? (Unless the developer was on a secret whitelist, that is.) Well, one of those quizzes – the popular personality quiz myPersonality – is the 10th worst password blunder on Dashlane’s list. Academics at the University of Cambridge distributed data from myPersonality to hundreds of researchers, then left the credentials to get at the data on GitHub, for four years, free and easy for anybody to access. A simple web search would lead any Joe Schmoe to the working credentials, and hence to users’ data.

Readers, did Dashlane do a good job with the year’s dastardly password d’oh!s? What did it miss, if anything? Let us know below!

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Exit mobile version