Dashlane, the award-winning password manager, and one of the world’s most trusted digital security companies, today announced its second annual list of the Worst Password Offenders. The rankings highlight the high-profile people and organizations that suffered the most significant password-related blunders of 2017.
While the violators on this list vary, they all showcase that common password mistakes can cause great embarrassment and economic loss, and that the aftermath of a breach can often be prevented. Most people make the same simple errors that these offenders made, such as using weak passwords or reusing passwords for multiple accounts. And, now that Equifax has exposed the data of nearly 150 million people, using a unique password for every account has become the duty of every person and business using the Internet.
Learn how to prevent common hacks here: https://blog.dashlane.com/year-of-the-hack
Dashlane’s Worst Password Offenders of 2017, in order of rank:
- Donald Trump: The President tops this year’s list of offenders, and for good reason. As a person who has continually lamented the cybersecurity woes of his opponents, and trumpeted his own, his leadership in this area leaves much to be desired.For starters, a January investigation by UK outlet Channel 4 News exposed that many of the top staff members Trump handpicked, including multiple cabinet secretaries, senior policy directors – even cybersecurity advisor Rudy Giuliani – were reusing unsecure, simple passwords. These passwords were used across multiple websites, as well as for their personal email accounts, and were believed to have been part of a slew of breaches that occurred between 2012 and 2016.This revelation is not to be taken lightly, and signals that a president who touts his cybersecurity prowess may have added numerous cyber vulnerabilities to the nation’s highest office. Trump also has direct connections to three of our other Top 10 offenders (Republican Party, Paul Manafort, Sean Spicer), which suggests he has never implemented proper cybersecurity protocols in any of his positions. Lastly, numerous Trump Organization websites were hacked this year, and a multitude of leading security experts questioned the security of his Twitter devices and accounts.
- Equifax: The Equifax breaches of 2017 allowed cybercriminals to access the personal information of nearly 150 million people in the US, UK, and Canada. Pouring salt in the wound was the additional discovery by security researcher Brian Krebs that the company was using the username/password combination “admin/admin” for some of its online portals. Although the cause(s) of the breaches are still unknown, it’s clear that Equifax’s egregious password practices put the personal information of millions around the world at risk.
- UK Government: A June investigation by The Times found that Russian hackers were trading thousands of passwords belonging UK government officials. Affected parties included MPs, parliamentary staff, and officials in the Foreign Office, including the head of IT. Most of the passwords were stolen from previous breaches, and because they remained unchanged after the breaches, the Russian hackers had easy access to their accounts. Perhaps the most concerning element of the report was that the most popular password for these officials was…you guessed it: “password.”In an unrelated December incident, multiple MP’s Tweeted that they routinely share their passwords. They were defending a colleague they believe was falsely accused of an offense, but as security researcher Troy Hunt stated, the incident,” …illustrates a fundamental lack of privacy and security education.” Non-secure password sharing increases infosec risks and undoubtedly leaves these MP’s, as well as Parliament, susceptible to a variety of cyber dangers.
- Department of Defense: Defense contractor Booz Allen Hamilton left the Pentagon severely exposed by leaving critical files on a non-password protected Amazon server. Included in the exposed data were several unencrypted passwords that could have been used to access classified D.O.D. information.
- Republican Party: One of the GOP’s data analytics firms accidentally leaked the personal details of 198 million Americans – roughly the entire voting-age population. One cybersecurity expert described the leak as a “gold mine for anyone looking to target and manipulate voters.” Much like the Pentagon hack, the firm was storing data on a non-password protected server.
- Google: A wide-scale phishing attack in May compromised an unknown number of Google users’ login credentials. The attack sent users to a real Google sign-in screen and captured their credentials when the user gave permission to a third-party app. Although Google swiftly resolved the issue, it highlights the password-related dangers that come with phishing attacks, as well as the need for extra vigilance by both users and companies regarding app access.
- HBO: Your favorite Sunday night lineup provider was hit by a variety of hacks and breaches in 2017. These ranged from the leaks of episodes and stars’ personal information, to the network’s social media accounts getting hacked. Spoiler alert: HBO was treating cybersecurity lightly. After the litany of incidents, employees came forward with reports of terrible cybersecurity practices, including the reuse of passwords for personal and work accounts.
- Imgur: The cause of this recent breach is still unknown, but the company admitted that at the time of the hack it was using an outdated algorithm to encrypt its users’ passwords. Although it updated its encryption last year, the damage was already done as 1.7 million user passwords were potentially compromised.
- Paul Manafort: Donald Trump’s recently indicted campaign manager appears to be to a James Bond fan, as he was using ‘Bond007’ as his password for multiple personal accounts, including Dropbox and Adobe. The dangers of password re-use are real, and the fact that he and so many Trump associates are on this list is unsettling.
- Sean Spicer: Remember him? The least critical incident on our list is still of note, as the former Press Secretary sent numerous Tweets of what appeared to be his very own passwords. His copying and pasting mistakes highlight the need for password managers that can automatically log you in, leaving no data stuck on the clipboard. Or podium.
How to Become a Security Celebrity
It may seem easy to call out the unhealthy habits of public figures, but if you’ve found yourself committing any of the same cybersecurity sins as the offenders on our list, you are at risk too.
Here are the top three lessons to learn from the 2017 incidents:
- Actually Use Passwords: This one seems obvious, but as our list shows, it’s not always followed. Whether on a server, in an email account, or in an app, you should always secure your data with passwords as they’re the first, and often only, line of defense between hackers and your personal information.
- Use Strong Passwords: Never use passwords that are easy to guess, or that contain names, proper nouns, or things people can easily research about you. All of your passwords should be longer than eight characters and include a mix of random letters, numbers, and symbols. Use a password generator to think of them for you.
- Never Reuse Passwords: Each and every one of your accounts needs a unique password. As our offenders underscored, the risk in password reuse is that hackers can use passwords from compromised accounts to easily access other accounts. The only protection against this is to have a different password for every account.
Password managers like Dashlane can help protect you on any device. In addition to creating unique strong passwords for all of your accounts, Dashlane ensures you’re not reusing passwords for multiple accounts, alerts you when breaches occur, and lets you change your passwords automatically in one-click.