Kanye West topped the list of ‘worst password offenders 2018’ for revealing his phone password to the world live on TV during his White House meeting with Donald Trump.
That’s according to password management app Dashlane, which has compiled its third annual list of the worst password-related mistakes from the year.
In a year when cyber incidents have been put further under the spotlight thanks to GDPR, password security has remained surprisingly lax.
Halfway through the year, some were already highlighting how poor password hygiene remained the biggest threat to security.
“Passwords are the first line of defence against cyberattacks,” said Emmanuel Schalit, CEO of Dashlane. “Weak passwords, reused passwords, and poor organisational password management can easily put sensitive information at risk.”
According to Dashlane, the average internet user has over 200 digital accounts that require passwords. By 2023, it expects this number to double to 400.
How well do you really know your competitors?
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
“The sheer number of accounts requiring passwords means everyone is prone to make the same mistakes as the Password Offenders,” said Schalit.
“We hope our list serves as a wake-up call to everyone to follow the best password security practices.”
Here are the worst password offenders 2018:
1. Kanye West
In October US rapper Kanye West unwittingly revealed to the world that his phone password is ‘000000’ during his meeting with Donald Trump at the White House.
An audit by the Government Accountability Office (GAO) flagged numerous security flaws among some of the Department of Defense’s newest weapon systems. Many passwords took seconds to guess or were not changed from their factory settings.
3. Cryptocurrency owners
Euphoria turned to despair for scores of crypto investors who tried to cash out while cryptocurrency was at a high in March, only to realise they could not remember their password. It even resulted in a hypnotist charging half a Bitcoin to help investors remember their passwords.
The hazelnut chocolate spread brand tried to jump on the World Password Day bandwagon with an ill-advised tweet that suggested users change their password to “Nutella”. The move quickly came under fire from Twitter users, who pointed out that the weak password had already been exposed thousands of times in data breaches. Bizarrely, the tweet is Nutella’s last post since May.
— Nutella (@NutellaGlobal) May 3, 2018
5. UK law firms
Cybersecurity firm RepKnight found 1.16 million email addresses from 500 top UK legal firms exposed on the dark web. A worrying 80% of those email addresses could be matched with passwords exposed during third-party data breaches.
An estimated 14.8 million voter records were left on a server without password protection. Analysis pointed the finger at Republican-focused data analytics firm Data Trust as the company likely to have compiled the original list.
7. White House Staff
A White House staffer wrote his password email login and password on official White House stationery. Making things worse, he accidentally left the document at a bus stop in Washington D.C.
An engineering student from Kerala, India, hacked into a Google TV broadcast satellite. He did so without the use of a password because a proxy gave him access to Google’s login backend.
9. United Nations
Highly sensitive internal documents, passwords and technical details were available for all with the right link after the United Nations forgot to encrypt collaborative management service Trello.
10. University of Cambridge
The data of millions, including answers to intimate questions, from quiz app myPersonality were available to anyone who came across the unencrypted password on GitHub. The data was being used by the university’s researchers as part of a study.
Worst password offenders 2018: How to maintain strong password hygiene
Dashlane advises that individuals ensure all of their accounts are password protected, are strong – containing numbers, letters, upper and lower case – and are not reused on multiple accounts.