Dashlane put together a list of the top 10 worst 2018 password offenders. People, states, and companies make the list.
[Keychain 101: Getting Started with Apple’s Password Manager …]
Password Offenders
- Kanye West: In his infamous meeting at the White House, a camera captured him unlocking his iPhone with the passcode “000000.”
- The Pentagon: An audit by the Government Accountability Office (GAO) found numerous cybersecurity vulnerabilities in several of the Pentagon’s systems. They were able to guess admin passwords in just nine seconds.
- Cryptocurrency Owners: The news cycle was rife with reports of people resorting to desperate measures (including hiring hypnotists) to attempt to recover/remember the forgotten passwords to their digital wallets.
- Nutella: Nutella came under fire when company encouraged its Twitter followers to use “Nutella” as their password. As if the advice wasn’t bad enough, the company sent out the ill-advised tweet to celebrate World Password Day
- U.K. Law Firms: Researchers in the United Kingdom found over one million corporate email and password combinations from 500 of the country’s top law firms available on the dark web. Making matters worse, most of the credentials were stored in plaintext.
- Texas: The Lone Star State left over 14 million voter records exposed on a server that wasn’t password protected. This blunder meant that sensitive personal information from 77% of the state’s registered voters, including addresses and voter history, was left vulnerable.
- White House Staff: This year a staffer made the mistake of writing down his email login and password on official White House stationery. This mistake was exacerbated as he accidentally left the document at a Washington, D.C. bus stop.
- Google: An engineering student from Kerala, India hacked one of their pages and got access to a TV broadcast satellite. The student didn’t even need to guess or hack credentials; he logged in to the Google admin pages on his mobile device in using a blank username and password.
- United Nations: The organization tasked with maintaining international peace has a security problem. U.N. staff were using Trello, Jira, and Google Docs to collaborate on projects, but forgot to password protect many of their documents.
- University of Cambridge: A plaintext password left on GitHub allowed anyone to access the data of millions of people being studied by the university’s researchers.
It’s ironic that the Pentagon wants to store classified military secrets in the cloud when they don’t use strong passwords.
Andrew:
Some of this is startling. For example, the White House staffer: you don’t write down your login and password and leave it at the bus stop; you leave it in a taxi. Everybody knows that.
Actually, most of this is not surprising, even if disappointing. Universities and the private sector are notorious for individuals having poor to effectively non-existent passwords, and/or using the same password for nearly everything. This is especially true, in my experience, amongst people who’ve been using computers for many years. Old habits die hard.
As for the Pentagon, there are no excuses. Many govt agencies worldwide use strong encryption generators that can daily change passwords, making it extremely difficult to compromise their systems. Some court-martials may be in order.