Dashlane today announced its third annual list of the “Worst Password Offenders.” The list highlights the high-profile individuals and organizations that had the most significant password-related blunders in 2018.

“Passwords are the first line of defense against cyberattacks,” said Emmanuel Schalit, CEO of Dashlane. “Weak passwords, reused passwords, and poor organizational password management can easily put sensitive information at risk.”

Dashlane found that the average internet user has over 200 digital accounts that require passwords, and the company projects this figure to double to 400 in the next five years. “The sheer number of accounts requiring passwords means everyone is prone to make the same mistakes as the Password Offenders,” states Schalit. “We hope our list serves as a wake-up call to everyone to follow the best password security practices.”

Worst passwords of 2018? These "password offenders" lead the pack

Dashlane’s “Worst Password Offenders” of 2018, from worst to best:     

  1. Kanye West: Kanye is no stranger to controversy and attained even more notoriety this year when he was captured unlocking his iPhone with the passcode “000000” during his infamous meeting at the White House. Having a weak passcode is risky enough, but brazenly flaunting poor password practices in a room full of TV cameras is as bad as it gets. To put it gently, Kanye needs to lockdown his passwords and make them better, faster, stronger.
  2. The Pentagon: It’s a shame that the Department of Defense holds the #2 spot this year (up two spots from #4 in last year’s list), but a devastating audit by the Government Accountability Office (GAO) found numerous cybersecurity vulnerabilities in several of the Pentagon’s systems. Among the disturbing issues was that a GAO audit team was able to guess admin passwords in just nine seconds, as well as the discovery that software for multiple weapons systems was protected by default passwords that any member of the public could have found through a basic Google search.
  3. Cryptocurrency owners: As the value of cryptocurrencies reached record levels at the beginning of the year, scores of crypto owners had the potential to cash out—if they could remember their passwords. The news cycle was rife with reports of people resorting to desperate measures (including hiring hypnotists) to attempt to recover/remember the forgotten passwords to their digital wallets.
  4. Nutella: Nutella came under fire for giving some of the nuttiest password advice of the year as the beloved hazelnut-and-chocolate spread company encouraged its Twitter followers to use “Nutella” as their password. As if the advice wasn’t bad enough, the company sent out the ill-advised tweet to celebrate World Password Day.
  5. U.K. Law Firms: Researchers in the United Kingdom found over one million corporate email and password combinations from 500 of the country’s top law firms available on the dark web. Making matters worse, most of the credentials were stored in plaintext.
  6. Texas: Everything is bigger in Texas, including the cybersecurity gaffes. The Lone Star State left over 14 million voter records exposed on a server that wasn’t password protected. This blunder meant that sensitive personal information from 77% of the state’s registered voters, including addresses and voter history, was left vulnerable.
  7. White House Staff: Last year, two White House officials made our list: President Trump took the (un)coveted title of 2017’s Worst Password Offender for a variety of poor cybersecurity habits, while Sean Spicer was included for tweeting his password. This year they passed the baton to another staffer who made the mistake of writing down his email login and password on official White House stationery. This mistake was exacerbated as he accidentally left the document at a Washington, D.C. bus stop.
  8. Google: The search engine giant has historically been buttoned up in terms of cybersecurity, but this year, an engineering student from Kerala, India hacked one of their pages and got access to a TV broadcast satellite. The student didn’t even need to guess or hack credentials; he logged in to the Google admin pages on his mobile device in using a blank username and password.
  9. United Nations: The organization tasked with maintaining international peace has a security problem. U.N. staff were using Trello, Jira, and Google Docs to collaborate on projects, but forgot to password protect many of their documents. This meant anyone with the correct link could access secret plans, international communications, and plaintext passwords.
  10. University of Cambridge: A plaintext password left on GitHub allowed anyone to access the data of millions of people being studied by the university’s researchers. The data was being extracted from the Facebook quiz app myPersonality and contained the personal details of Facebook users, including intimate answers to psychological tests.

Learn from the mistakes of this year’s Password Offenders:

  1. Password protect all accounts: Whether it’s a server, email account, or an app, you should always secure your data with passwords as they’re the first, and often only, line of defense between hackers and your personal information.
  2. Use strong passwords: Never use passwords that are easy to guess or that contain names, proper nouns, or things people can easily research about you—like your favorite hazelnut spread! All your passwords should be longer than eight characters and include a mix of random letters, numbers, and symbols. Even better, use a generator to come up with them for you.
  3. Never reuse passwords: Every one of your accounts needs a unique password. The risk in password reuse is that hackers can use passwords from compromised accounts to easily access other accounts. The only protection against this is to have a different password for every account.