Good password practices remain elusive as Dashlane's latest list of the worst password blunders can attest.

When it comes to security, there are many things humans do badly. A new end-of-the-year list provides a new batch of evidence that passwords are among the worst.

The "Worst Password Offenders of 2018," assembled by password management vendor Dashlane, goes from the ridiculous to the horrifying.

The No. 1 offender on the list is the former, Kanye West, who shared his password — 000000 — on television as he unlocked his iPhone to show the screen to President Trump during an Oval Office meeting.

The remainder of the top 10 offenders lean heavily toward government or quasi-government agencies, with the second offender one of the most worrying: the Pentagon. A Government Accountability Office (GAO) audit found that many system admin passwords could be guessed in as few as nine seconds, and " ... software for multiple weapons systems was protected by default passwords," according to Dashlane. Those passwords, the GAO noted, could be found by anyone with a knowledge of the systems' manufacturers and a working understanding of how Google works.

"Unfortunately, changing the default password wouldn't make a huge difference," says Emmanuel Schalit, CEO of Dashlane. He notes that the most significant issue is a limitation of the human brain. "The most important thing you can do as an individual is to never reuse passwords," he says. "Always have a different password for every different service."

That reuse becomes challenging, Schalit explains, because "the average consumer has 200 passwords, and it's impossible to manage them all without technology to help manage the digital identity."

Other offenders on the list include Cambridge University, for exposing records of thousands of experimental subjects because a password was left in a Github repository, and Nutella, for suggesting that its Twitter followers use the word "Nutella" as their passwords as a "helpful" suggestion on National Password Day.

Some have promoted the use of two-factor authentication (2FA) as a way to reduce the impact of poor password hygiene. Schalit, too, says two factors should be used wherever possible, though its overall effectiveness is limited by two major factors. The first is that 2FA isn't available for many services, he points out.

Second, even where it is available, 2FA frequently uses SMS as part of the second factor, and " ... it only costs a few dollars to buy the text messages of an individual," Schalit says.

It's important that individuals work to improve their digital practices, he adds, because the issues with secure digital identities go beyond personal finance. "It's not an individual issue anymore — it's a global issue," he says. "Whenever one of us is breached or compromised, that doesn't just impact the individual. It starts to erode the very fabric of the Internet when it becomes too dangerous, too risky."

Related Content:

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights