Kanye West, UK Law Firms and Crypto Owners Among 2018’s ‘Worst Password Offenders’


Weak passwords, reused passwords and poor organisational password management can easily put sensitive information at risk, password manager app Dashlane warns.

The ‘worst password offenders’ of 2018 have been named, including Kanye West, the Pentagon and Nutella.

The list, compiled by password manager app Dashlane, highlights the high-profile individuals and organisations that supposedly had the most significant password-related blunders in 2018.

Emmanuel Schalit, CEO of Dashlane, said: “Passwords are the first line of defence against cyber attacks. Weak passwords, reused passwords, and poor organisational password management can easily put sensitive information at risk.”

A Dashlane study found that the average internet user has more than 200 digital accounts that require passwords, and the company predicts that this figure to double to 400 in the next five years.

Wake up call

Schalit said: “The sheer number of accounts requiring passwords means everyone is prone to make the same mistakes as the Password Offenders. We hope our list serves as a wake-up call to everyone to follow the best password security practices.”

Worst passwords of 2018? Dashlane ranks the ‘worst password offenders’ of 2018, from worst to, well, slightly less:

Kanye West: Kanye is no stranger to controversy and attained even more notoriety this year when he was captured unlocking his iPhone with the passcode “000000” during his infamous meeting at the White House. Having a weak passcode is risky enough, but brazenly flaunting poor password practices in a room full of TV cameras is as bad as it gets. To put it gently, Kanye needs to lock down his passwords and make them better, faster, stronger.

The Pentagon: It’s a shame that the Department of Defense holds the #2 spot this year (up two spots from #4 in last year’s list), but a devastating audit by the Government Accountability Office (GAO) found numerous cybersecurity vulnerabilities in several of the Pentagon’s systems. Among the disturbing issues was that a GAO audit team was able to guess admin passwords in just nine seconds, as well as the discovery that software for multiple weapons systems was protected by default passwords that any member of the public could have found through a basic Google search.

Cryptocurrency owners: As the value of cryptocurrencies reached record levels at the beginning of the year, scores of crypto owners had the potential to cash out—if they could remember their passwords. The news cycle was rife with reports of people resorting to desperate measures (including hiring hypnotists) to attempt to recover/remember the forgotten passwords to their digital wallets.

Nutella: Nutella came under fire for giving some of the nuttiest password advice of the year as the beloved hazelnut-and-chocolate spread company encouraged its Twitter followers to use “Nutella” as their password. As if the advice wasn’t bad enough, the company sent out the ill-advised tweet to celebrate World Password Day.

UK Law Firms: Researchers in the UK found more than one million corporate email and password combinations from 500 of the country’s top law firms available on the dark web. Making matters worse, most of the credentials were stored in plaintext.

digital transformation 2019 banner

Texas: Everything is bigger in Texas, including the cybersecurity gaffes. The Lone Star State left more than 14 million voter records exposed on a server that wasn’t password protected. This blunder meant that sensitive personal information from 77% of the state’s registered voters, including addresses and voter history, was left vulnerable.

White House Staff: Last year, two White House officials made our list: President Trump took the (un)coveted title of 2017’s Worst Password Offender for a variety of poor cybersecurity habits, while Sean Spicer was included for tweeting his password. This year they passed the baton to another staffer who made the mistake of writing down his email login and password on official White House stationery. This mistake was exacerbated as he accidentally left the document at a Washington, D.C. bus stop.

Google: The search engine giant has historically been buttoned up in terms of cybersecurity, but this year, an engineering student from Kerala, India hacked one of their pages and got access to a TV broadcast satellite. The student didn’t even need to guess or hack credentials; he logged in to the Google admin pages on his mobile device in using a blank username and password.

United Nations: The organisation tasked with maintaining international peace has a security problem. U.N. staff were using Trello, Jira, and Google Docs to collaborate on projects, but forgot to password protect many of their documents. This meant anyone with the correct link could access secret plans, international communications, and plaintext passwords.

University of Cambridge: A plaintext password left on GitHub allowed anyone to access the data of millions of people being studied by the university’s researchers. The data was being extracted from the Facebook quiz app myPersonality and contained the personal details of Facebook users, including intimate answers to psychological tests.

How to not end up in Dashlane’s 2019 list

Password protect all accounts: Whether it’s a server, email account, or an app, you should always secure your data with passwords as they’re the first, and often only, line of defence between hackers and your personal information.

Use strong passwords: Never use passwords that are easy to guess or that contain names, proper nouns, or things people can easily research about you—like your favourite hazelnut spread! All your passwords should be longer than eight characters and include a mix of random letters, numbers, and symbols. Even better, use a generator to come up with them for you.

Never reuse passwords: Every one of your accounts needs a unique password. The risk in password reuse is that hackers can use passwords from compromised accounts to easily access other accounts. The only protection against this is to have a different password for every account.

Latest News

Digital News
Digital Featured Infrastructure News
23rd August 2019

DIGIT Tech News Roundup – 23rd of August 2019

23rd August 2019

Microsoft Admits Letting Humans Listen to Xbox One Recordings