Password fails of 2018

Over the last three years, password manager company Dashlane has released an annual “Worst Password Offenders” list…

… Perhaps it is therefore time for us mere mortals to finally take that hint and start coming up with better passwords.

While some of these incidents on the list expose some real “dumbassery”, the consequences of bad passwords could be dire. I’ll leave this link here: a recent Facebook hack that exposed the location and search history of 14 million users.

As Dashline CEO Emmanuel Schalit points out: “Passwords are the first line of defence against cyberattacks.”

But let’s get to that list

1. Kanye West: Our headline grabbing friend, Kanye West, is no stranger to controversy and attained even more notoriety this year when he was snapped unlocking his iPhone with six zeros (000000) during his infamous meeting at the White House. Having a weak passcode is risky enough, but brazenly flaunting poor password practices in a room full of TV cameras is as bad as it gets. To put it mildly, Kanye needs tolockdown his passwords and make them better, faster, stronger. (disclaimer – this joke was #stolen)
2. The Pentagon: It’s a shame that the Department of Defense holds the #2 spot this year (up two spots from #4 in last year’s list), but a devastating audit by the Government Accountability Office (GAO) found numerous cybersecurity vulnerabilities in several of the Pentagon’s systems. Among the disturbing issues was that a GAO audit team was able to guess admin passwords in just nine seconds, as well as the discovery that software for multiple weapons systems was protected by default passwords that any member of the public could have found through a basic Google search.
3. Cryptocurrency owners: As the value of cryptocurrencies reached record levels at the beginning of the year, scores of crypto owners had the potential to cash out—if they could remember their passwords. The news cycle was rife with reports of people resorting to desperate measures (including hiring hypnotists) to attempt to recover/remember the forgotten passwords to their digital wallets.
4. Nutella: Nutella came under fire for giving some of the nuttiest (again: stolen) password advice of the year as the beloved hazelnut-and-chocolate spread company encouraged its Twitter followers to use “Nutella” as their password. As if the advice wasn’t bad enough, the company sent out the ill-advised tweet to celebrate World Password Day.
5. K. Law Firms: Researchers in the United Kingdom found over one million corporate email and password combinations from 500 of the country’s top law firms available on the dark web. Making matters worse, most of the credentials were stored in plaintext.
6. Texas: Everything is bigger in Texas, including the cybersecurity gaffes. The Lone Star State left over 14 million voter records exposed on a server that wasn’t password protected. This blunder meant that sensitive personal information from 77% of the state’s registered voters, including addresses and voter history, was left vulnerable.
7. White House Staff: Last year, two White House officials made our list: President Trump took the (un)coveted title of 2017’s Worst Password Offender for a variety of poor cybersecurity habits, while Sean Spicer was included for tweeting his password. This year they passed the baton to another staffer who made the mistake of writing down his email login and password on official White House stationery. This mistake was exacerbated as he accidentally left the document at a Washington, D.C. bus stop.
8. Google: The search engine giant has historically been buttoned up in terms of cybersecurity, but this year, an engineering student from Kerala, India hacked one of their pages and got access to a TV broadcast satellite. The student didn’t even need to guess or hack credentials; he logged in to the Google admin pages on his mobile device in using a blank username and password.
9. United Nations: The organisation tasked with maintaining international peace has a security problem. U.N. staff were using Trello, Jira, and Google Docs to collaborate on projects, but forgot to password protect many of their documents. This meant anyone with the correct link could access secret plans, international communications, and plaintext passwords.
10. University of Cambridge: A plaintext password left on GitHub allowed anyone to access the data of millions of people being studied by the university’s researchers. The data was being extracted from the Facebook quiz app myPersonality and contained the personal details of Facebook users, including intimate answers to psychological tests.

I do just want to mention, however, that public Wi-Fi is not always the safest and ransomware is literally a wrong click away – threatening your data. But you could win some peace of mind here, with Kaspersky Lab and Gadget-Gal.com.

Picking a password

Obviously, the best password is one that is complicated to guess and easy to remember.

Many of us assume that special characters make a password more secure. And while that’s true to a certain extent those passwords can still be guessed and can be quite difficult to remember.

It’s better to have a long password that uses several words together. These are just easier to remember.

The challenge arises when passwords have to fit within certain rules. Caps, special characters or numbers can make them hard to remember. That’s where a password manager comes in, as it can keep these safe for you and you just remember one master key to access them.

A lot of South Africans use something called Lastpass but I also want to mention that the best advice is to avoid, at all costs, using the same password on more than one site.

Here’s what Dashlane recommends:

Password protect all accounts: Whether it’s a server, email account, or an app, you should always secure your data with passwords as they’re the first, and often only, line of defense between hackers and your personal information.

Use strong passwords: Never use passwords that are easy to guess or that contain names, proper nouns, or things people can easily research about you—like your favorite hazelnut spread! All your passwords should be longer than eight characters and include a mix of random letters, numbers, and symbols. Even better, use a generator to come up with them for you.

Never re-use passwords: Every one of your accounts needs a unique password. The risk in password reuse is that hackers can use passwords from compromised accounts to easily access other accounts. The only protection against this is to have a different password for every account.