We are mid-way through December and New Year’s Eve is fast approaching. Which means it’s the time of year to take stock of all that has been in the last 12 months in the form of curiously specific listicles, from the most fiercely discussed scientific studies of 2018 to the porn searches that have defined the past year.
For the last three years, password manager company Dashlane has released an annual “Worst Password Offenders” list, presumably in the hope that it will encourage a few of us to adopt “make better passwords” as our New Year’s resolution for 2019.
Naturally, Kanye’s easy-to-hack iPhone password (000000) tops the list but there are also some surprising entries, from Very Important government organizations to multinational confectionary companies (we’re looking at you, Nutella.) And while some of these reveal a hilarious level of competency, the real-life ramifications of crappy passwords can be disastrous – as the recent Facebook hack that left the location and search history of 14 million users highlights.
As Dashline CEO Emmanuel Schalit points out: “Passwords are the first line of defense against cyberattacks.”
And so, starting at number 10.
- 10. University of Cambridge
- When someone dropped a plaintext password on GitHub, they left the data of millions of people being studied by University of Cambridge researchers through the Facebook quiz app “myPersonality” vulnerable. This even included data pertaining to psychological test results.
- 9. United Nations
- Staff at the UN use systems like Trello, Jira, and Google Docs to collaborate. That wouldn’t be a problem – except for the fact that many forgot to protect those Very Important files with a secure password or, indeed, any password at all. This means anyone with the correct link could access extremely sensitive internal data and international communications. If you don’t laugh, you’ll cry.
- 8. Google
You might think that one of the world’s biggest tech companies knows a thing or two about security in the digital age. But earlier this year an engineering student from Kerala, India, successfully hacked into the company and managed to gain access to a TV broadcast satellite. All he had to do was log into the Google admin pages on his cell phone with a blank username and password.
- 7. White House Staff
- Last year, Trump earned the top spot on the list to become “2017’s Worst Password Offender”, making the inclusion of the White House on this year’s list (depressingly) predictable. The specific cybersecurity crime responsible for putting the WH at number seven is the actions of one staffer, who wrote down his email login and password on official (and embossed) stationary – which he then left at a Washington DC bus stop.
- 6. Texas
- Seventy-seven percent of voter records – that is 14 million Texans – were left exposed on a server that had not been password protected, meaning information like addresses and voting history were left out in the open.
- 5. UK Law Firms
- More than 1 million corporate email and password combinations from 500 of the UK’s top law firms were left (in plaintext) on the dark web.
- 4. Nutella
- The chocolate-hazelnut spread company should stick to what it knows best, confectionary. And it should steer far away from cybersecurity matters after suggesting fans of the product use “Nutella” as their password – on World Password Day.
- 3. Cryptocurrency Owners
- In January, the value of Bitcoin crashed with many cryptocurrency owners scrambling to get their money out before it dropped any further. Only many had forgotten their passwords, meaning their newfound wealth is now stuck in digital limbo.
- 2. The Pentagon
- The HQ for the United States Department of Defense made the list (again) following a Government Accountability Office (GAO) audit, which found that the software for multiple weapon systems were protected by default passwords. What’s more, the GAO team was able to guess admin passwords in just 9 seconds.
- 1. Kanye West
- Even more infamous than Kanye’s visit to the White House in October is his scandalous disregard for cybersecurity. Not only is his password extremely easy to guess (000000), the whole world now knows exactly what it is thanks to the hoards of TV crews who captured the rapper unlocking his iPhone on camera.