Password management company Dashlane has announced its fourth annual list of the “Worst Password Offenders.” The list highlights the high-profile individuals and organizations that had the most significant password-related blunders in 2019.
Big Tech and regulation have been at the forefront of political and societal conversations, with GDPR and the general election dominating the media. Unfortunately, when companies like Facebook and Google (which took the #1 and #2 spots on this year’s list, respectively) admit to insecure password and cybersecurity-related practices, it’s their users who suffer when credentials are leaked online.
But it’s not just big tech companies making these mistakes; many people can identify with the likes of Lisa Kudrow, who made the list this year for posting a picture on Instagram that showed a Post-It with her password. Dashlane data shows that the average Internet user has over 200 digital accounts that require passwords, a figure projected to double to 400 in the next five years.
“The drudgery of passwords, account creation and recovery, and the fear of what you need to do after a big company data breach are all legitimate concerns for everyone using the internet,” said Dashlane co-founder and CEO, Emmanuel Schalit. “Our Worst Password Offenders list serves as an annual reminder for how easy it is to make a misstep on the web, no matter your status.”
Dashlane’s “Worst Password Offenders” of 2019, beginning with the worst:
- Facebook: In back-to-back incidents earlier this year, Facebook admitted to both exposing passwords belonging to hundreds of millions of users, and breaching user privacy by asking for the email passwords of new users and harvesting contacts without consent. The tech giant brought giant problems on itself by storing account passwords in plaintext within its internal data storage systems for years, violating a security best practice followed by most companies and services to protect user data from prying eyes. Making matters even worse, later this year, the company also left a server unprotected without a password, exposing phone numbers and records of over 400 million users. For a company under increasing scrutiny for how it handles (or mishandles) user data and security, it sure needs a poke in the ribs.
- Google: Not to be outdone by its fellow FAANG’s failure, Google also confessed to accidentally storing the passwords for a percentage of its G Suite users in plaintext – since 2005. “Accidents” like this have major implications for platforms and their users; breaches can go undetected for years, so you never know when an account might have been exposed. Plaintext passwords give cybercriminals plenty to go on – they can access user accounts and wreak havoc on digital lives through credit card fraud or identity theft.
- Lisa Kudrow: The actress got by with a little help from her Friends after she posted a picture on Instagram of her computer monitor, which featured an article about an upcoming role, along with a Post-It with her password. Her savvy followers immediately pointed out the mistake, prompting Kudrow to delete the photo and share a new version with another Post-It poking fun at her own bad password hygiene. Celebs are not the only ones who need to be careful about what they post on social media; take a moment before you hit upload to ensure you aren’t inadvertently publicizing sensitive or personally identifiable information in a post.
- Congressman Lance Gooden: Apparently, Congressman Gooden didn’t learn from the mistakes of last year’s Worst Password Offender, Kanye West, who unlocked his iPhone with the passcode “000000” during his infamous White House meeting. This year, during the televised testimony from Mark Zuckerberg before the House Financial Services Committee, the Republican representative from Texas was caught on camera using “777777” as his passcode. He isn’t the only person in politics over the years to commit passé password offenses, which have many calling into question the basic security understanding of elected or appointed officials. In fact, it was reported this year that after Rudy Guiliani was named cybersecurity adviser in 2017, he went to an Apple store for help unlocking his iPhone after he had entered the wrong passcode more than 10 times.
- WeWork: While the debate as to whether or not WeWork is a tech company rages on, one thing is for sure: a tech company should know better than to use the same insecure password for its entire global WiFi network. A Fast Company story added to WeWork’s fair share of controversies this year, calling out how easy its network password is to guess and how it puts members at risk.
- Elsevier: The publishing company behind a wealth of scientific, technical, and medical journals is yet another example of the unfortunate trend of plaintext password exposure among 2019’s Worst Password Offenders. Elsevier left a server open to the public online, exposing email addresses and passwords for users from educational institutions and universities all over the world. The open server also allowed access to password reset links, which are produced when users request to change login credentials. These infractions for Elsevier are also severe due to the pervasive issue of password reuse.
- Virgin Media UK: Things you shouldn’t do after your company is found to have stored passwords insecurely? Tweet your very wrong reasoning. After an ethical hacker in the UK forgot the login for his Virgin Media account and requested a password reset, he received his previous password by mail – a clear sign that the company didn’t encrypt user passwords. The hacker took to Twitter to call out Virgin Media, to which they replied: “Posting it to you is secure, as it’s illegal to open someone else’s mail.” Matthew Hughes, a journalist at The Next Web put it best, “Yes, because criminals don’t break laws, right? By that logic, why should I lock my front door? After all, burglary is illegal. And maybe, by extension, we should do away with the police, as breaking laws is illegal.”
- GPS Trackers by Shenzhen i365 Tech: GPS trackers designed to help parents track their children put them at risk of having real-time location data exposed to strangers, when over a half a million users were assigned the easy-to-hack default password, “123456,” for their devices. A number of tracker models had vulnerabilities that allowed third-parties to fake a user’s location or access the microphone for eavesdropping. So much for parental control.
- Ellen DeGeneres: While the beloved daytime talk show host’s response to sharing a bad password joke with her followers may not have received the same blow back as attending a football game with a former President, it does call for a reminder. Do not use “password” (or any form of the word) as your password! After Ellen’s Instagram was briefly hacked and offered giveaways to followers, she tweeted an apology along with a bad password practice – which is no joke: “My Instagram account was hacked last night (despite my clever password “password”).”
- Ashleys: A list released by the UK’s National Cyber Security Centre found the name Ashley to be the highest-ranking first name among the top hacked passwords, making anyone using it this year’s #10 Offender. Never use passwords that are easy to guess or that contain names, proper nouns, or things people can easily research about you. All your passwords should be longer than eight characters and include a mix of random letters, numbers, and symbols. Even better, use a password generator to come up with them for you.
3 tips to improve password protection
Learn from the mistakes of this year’s Worst Password Offenders:
- Use different passwords for every account: Password reuse is an epidemic. Repeating the same password across your accounts is a lot like using the same key for your house or your car. If someone gets a hold of those keys, they now have access to everything you want to keep safe. Hackers can use passwords from compromised accounts to easily access other accounts. The only protection against this is to have a different password for every account.
- Turn on two-factor authentication (2FA): 2FA is a feature that adds an additional “factor” to your normal login procedure to verify your identity. 2FA adds an extra layer of security by verifying your identity using two of three possible identifiers: something you know (your password, PIN number, zip code, etc.) something you are (via facial recognition, your fingerprints, retina scans, etc.), or something you have (a smart card, your smartphone, etc.). Most apps or websites will verify you via an email or a text message sent to your phone.
- Get a password manager. Now. Ditch the notebook, Excel grid, Post-It, or whichever patented password management “method” you’re currently using. A password manager is one of the best ways to safely and conveniently manage wildly complicated and unique passwords for an unlimited number of accounts, while providing automatic logins and secure autofill of personal and payment information.