Jump to content

2018's worst password fails revealed


Recommended Posts

Despite newer technologies, most of us still rely on passwords to secure our accounts. We are not, however, very good at choosing them or looking after them.


Password management company Dashlane has produced a list of the 10 worst password fails of 2018.


1. Topping the list is Kanye West who was caught unlocking his iPhone with the passcode '000000' during his White House meeting with Donald Trump.
2. In second place is the US Department of Defense. An audit by the Government Accountability Office (GAO) found numerous cybersecurity vulnerabilities in several of the Pentagon's systems. Among the disturbing issues was that a GAO audit team was able to guess admin passwords in just nine seconds, as well as the discovery that software for multiple weapons systems was protected by default passwords that any member of the public could have found through a basic Google search.
3. As the value of cryptocurrencies reached record levels at the beginning of the year, scores of crypto owners had the potential to cash out -- if they could remember their passwords. The news was full of reports of people resorting to desperate measures (including hiring hypnotists) to attempt to recover/remember the forgotten passwords to their digital wallets.
4. Food brand Nutella came under fire for giving some nutty password advice as the beloved hazelnut-and-chocolate spread company encouraged its Twitter followers to use 'Nutella' as their password. Worse still, the company sent out the ill-advised tweet on World Password Day.
5. Researchers in the UK found over one million corporate email and password combinations from 500 of the country’s top law firms available on the dark web. Making matters worse, most of the credentials were stored in plaintext.
6. The state of Texas left over 14 million voter records exposed on a server that wasn't password protected. This blunder meant that sensitive personal information from 77 percent of the state’s registered voters, including addresses and voter history, was left vulnerable.
7. A White House staffer made the mistake of writing down his email login and password on official White House stationery. This mistake was exacerbated by his accidentally leaving the document at a Washington, D.C. bus stop.
8. Google takes eighth place in the list as an engineering student from Kerala, India hacked one of its pages and got access to a TV broadcast satellite. The student didn't even need to guess or hack credentials -- he logged in to the Google admin pages on his mobile device in using a blank username and password.
9. United Nations staff were using Trello, Jira, and Google Docs to collaborate on projects, but they forgot to password protect many of their documents. This meant anyone with the correct link could access secret plans, international communications, and plain text passwords.
10. Tenth place goes to prestigious seat of learning the University of Cambridge. A plain text password left on GitHub allowed anyone to access the data of millions of people being studied by the university's researchers. The data was being extracted from the Facebook quiz app myPersonality and contained the personal details of Facebook users, including intimate answers to psychological tests.
2018 password fails
Link to comment
Share on other sites

  • Replies 2
  • Views 350
  • Created
  • Last Reply

Worst Password Blunders of 2018 Hit Organizations East and West


Good password practices remain elusive as Dashlane's latest list of the worst password blunders can attest.


When it comes to security, there are many things humans do badly. A new end-of-the-year list provides a new batch of evidence that passwords are among the worst.

The "Worst Password Offenders of 2018," assembled by password management vendor Dashlane, goes from the ridiculous to the horrifying.

The No. 1 offender on the list is the former, Kanye West, who shared his password — 000000 — on television as he unlocked his iPhone to show the screen to President Trump during an Oval Office meeting.

The remainder of the top 10 offenders lean heavily toward government or quasi-government agencies, with the second offender one of the most worrying: the Pentagon. A Government Accountability Office (GAO) audit found that many system admin passwords could be guessed in as few as nine seconds, and " ... software for multiple weapons systems was protected by default passwords," according to Dashlane. Those passwords, the GAO noted, could be found by anyone with a knowledge of the systems' manufacturers and a working understanding of how Google works.

"Unfortunately, changing the default password wouldn't make a huge difference," says Emmanuel Schalit, CEO of Dashlane. He notes that the most significant issue is a limitation of the human brain. "The most important thing you can do as an individual is to never reuse passwords," he says. "Always have a different password for every different service."

That reuse becomes challenging, Schalit explains, because "the average consumer has 200 passwords, and it's impossible to manage them all without technology to help manage the digital identity."

Other offenders on the list include Cambridge University, for exposing records of thousands of experimental subjects because a password was left in a Github repository, and Nutella, for suggesting that its Twitter followers use the word "Nutella" as their passwords as a "helpful" suggestion on National Password Day.

Some have promoted the use of two-factor authentication (2FA) as a way to reduce the impact of poor password hygiene. Schalit, too, says two factors should be used wherever possible, though its overall effectiveness is limited by two major factors. The first is that 2FA isn't available for many services, he points out.

Second, even where it is available, 2FA frequently uses SMS as part of the second factor, and " ... it only costs a few dollars to buy the text messages of an individual," Schalit says.

It's important that individuals work to improve their digital practices, he adds, because the issues with secure digital identities go beyond personal finance. "It's not an individual issue anymore — it's a global issue," he says. "Whenever one of us is breached or compromised, that doesn't just impact the individual. It starts to erode the very fabric of the Internet when it becomes too dangerous, too risky."




Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...