Big Tech, Bigger Mistakes: Facebook And Google Top Dashlane's List Of 2019's "Worst Password Offenders"
NEW YORK, Dec. 17, 2019 /PRNewswire/ -- Dashlane today announced its fourth annual list of the "Worst Password Offenders." The list highlights the high-profile individuals and organizations that had the most significant password-related blunders in 2019.
Big Tech and regulation have been at the forefront of political and societal conversations, particularly this year with federal and state consumer data privacy laws and the 2020 election on the horizon. Unfortunately, when companies like Facebook and Google (which took the #1 and #2 spots on this year's list, respectively) admit to insecure password and cybersecurity-related practices, it's their users who suffer when credentials are leaked online. This causes a ripple effect; a hacker with your username/email and password from a single compromised database can use that information to access other accounts.
It's not just companies making these mistakes; many people can identify with the likes of Lisa Kudrow, who made the list this year for posting a picture on Instagram that showed a Post-It with her password. Dashlane data shows that the average Internet user has over 200 digital accounts that require passwords, a figure projected to double to 400 in the next five years. As more and more of our lives have migrated online, everyone needs an easier way to browse the web safely and seamlessly.
"The drudgery of passwords, account creation and recovery, and the fear of what you need to do after a big company data breach are all legitimate concerns for everyone using the internet," said Dashlane co-founder and CEO, Emmanuel Schalit. "Our Worst Password Offenders list serves as an annual reminder for how easy it is to make a misstep on the web, no matter your status. Using a password manager like Dashlane can help keep you safe from hacks while making everything you do online easier."
Dashlane's "Worst Password Offenders" of 2019, beginning with the worst:
1. Facebook: In back-to-back incidents earlier this year, Facebook admitted
to both exposing passwords belonging to hundreds of millions of users,
and breaching user privacy by asking for the email passwords of new users
and harvesting contacts without consent. The tech giant brought giant
problems on itself by storing account passwords in plaintext within its
internal data storage systems for years, violating a security best
practice followed by most companies and services to protect user data
from prying eyes. Making matters even worse, later this year, the company
also left a server unprotected without a password, exposing phone numbers
and records of over 400 million users. For a company under increasing
scrutiny for how it handles (or mishandles) user data and security, it
sure needs a poke in the ribs.
2. Google: Not to be outdone by its fellow FAANG's failure, Google also
confessed to accidentally storing the passwords for a percentage of its G
Suite users in plaintext - since 2005. "Accidents" like this have major
implications for platforms and their users; breaches can go undetected
for years, so you never know when an account might have been exposed.
Plaintext passwords give cybercriminals plenty to go on - they can access
user accounts and wreak havoc on digital lives through credit card fraud
or identity theft.
3. Lisa Kudrow: The actress got by with a little help from her Friends after
she posted a picture on Instagram of her computer monitor, which featured
an article about an upcoming role, along with a Post-It with her
password. Her savvy followers immediately pointed out the mistake,
prompting Kudrow to delete the photo and share a new version with another
Post-It poking fun at her own bad password hygiene. Celebs are not the
only ones who need to be careful about what they post on social media;
take a moment before you hit upload to ensure you aren't inadvertently
publicizing sensitive or personally identifiable information in a post.
Otherwise, it'll have us saying "my eyes, my eyes!"
4. Congressman Lance Gooden: Apparently, Congressman Gooden didn't learn
from the mistakes of last year's Worst Password Offender, Kanye West, who
unlocked his iPhone with the passcode "000000" during his infamous White
House meeting. This year, during the televised testimony from Mark
Zuckerberg before the House Financial Services Committee, the Republican
representative from Texas was caught on camera using "777777" as his
passcode. He isn't the only person in politics over the years to commit
passé password offenses, which have many calling into question the basic
security understanding of elected or appointed officials. In fact, it was
reported this year that after Rudy Guiliani was named cybersecurity
adviser in 2017, he went to an Apple store for help unlocking his iPhone
after he had entered the wrong passcode more than 10 times.
5. WeWork: While the debate as to whether or not WeWork is a tech company
rages on, one thing is for sure: a tech company should know better than
to use the same insecure password for its entire global WiFi network. A
Fast Company story added to WeWork's fair share of controversies this
year, calling out how easy their network password is to guess and how it
puts members at risk.
6. Elsevier: The publishing company behind a wealth of scientific,
technical, and medical journals is yet another example of the unfortunate
trend of plaintext password exposure among 2019's Worst Password
Offenders. Elsevier left a server open to the public online, exposing
email addresses and passwords for users from educational institutions and
universities all over the world. The open server also allowed access to
password reset links, which are produced when users request to change
login credentials. These infractions for Elsevier are also severe due to
the pervasive issue of password reuse.
7. Virgin Media UK: Things you shouldn't do after your company is found to
have stored passwords insecurely? Tweet your very wrong reasoning. After
an ethical hacker in the UK forgot the login for his Virgin Media account
and requested a password reset, he received his previous password by mail
- a clear sign that the company didn't encrypt user passwords. The hacker
took to Twitter to call out Virgin Media, to which they replied: "Posting
it to you is secure, as it's illegal to open someone else's mail."
Matthew Hughes, a journalist at The Next Web put it best, "Yes, because
criminals don't break laws, right? By that logic, why should I lock my
front door? After all, burglary is illegal. And maybe, by extension, we
should do away with the police, as breaking laws is illegal."
8. GPS Trackers by Shenzhen i365 Tech: GPS trackers designed to help parents
track their children put them at risk of having real-time location data
exposed to strangers, when over a half a million users were assigned the
easy-to-hack default password, "123456," for their devices. A number of
tracker models had vulnerabilities that allowed third-parties to fake a
user's location or access the microphone for eavesdropping. So much for
parental control.
9. Ellen DeGeneres: While the beloved daytime talk show host's response to
sharing a bad password joke with her followers may not have received the
same blow back as attending a football game with a former President, it
does call for a reminder. Do not use "password" (or any form of the word)
as your password! After Ellen's Instagram was briefly hacked and offered
giveaways to followers, she tweeted an apology along with a bad password
practice - which is no joke: "My Instagram account was hacked last night
(despite my clever password "password")."
10. Ashleys: A list released by the UK's National Cyber Security Centre
found the name Ashley to be the highest-ranking first name among the top
hacked passwords, making anyone using it this year's #10 Offender. Never
use passwords that are easy to guess or that contain names, proper
nouns, or things people can easily research about you. All your
passwords should be longer than eight characters and include a mix of
random letters, numbers, and symbols. Even better, use a password
generator to come up with them for you.
Don't Become a Dishonorable Mention
Learn from the mistakes of this year's Worst Password Offenders:
-- Use different passwords for every account: Password reuse is an
epidemic. Repeating the same password across your accounts is a lot like
using the same key for your house or your car. If someone gets a hold of
those keys, they now have access to everything you want to keep safe.
Hackers can use passwords from compromised accounts to easily access
other accounts. The only protection against this is to have a different
password for every account.
-- Turn on two-factor authentication (2FA): 2FA is a feature that adds an
additional "factor" to your normal login procedure to verify your
identity. 2FA adds an extra layer of security by verifying your identity
using two of three possible identifiers: something you know (your
password, PIN number, zip code, etc.) something you are (via facial
recognition, your fingerprints, retina scans, etc.), or something you
have (a smart card, your smartphone, etc.). Most apps or websites will
verify you via an email or a text message sent to your phone.
-- Get a password manager. Now. Ditch the notebook, Excel grid, Post-It, or
whichever patented password management "method" you're currently using.
A password manager is literally the only way to safely and conveniently
manage wildly complicated and unique passwords for an unlimited number
of accounts, while providing automatic logins and secure autofill of
personal and payment information.
About Dashlane
Dashlane is a mobile and desktop app that gives you a shortcut for everything you do online. Log in instantly, fly through forms, and breeze through checkouts on every device you own without compromising on security.
With offices in New York City, Paris, and Lisbon, Dashlane works to create a safe and effortless ways for everyone to be safe online.
View original content:http://www.prnewswire.com/news-releases/big-tech-bigger-mistakes-facebook-and-google-top-dashlanes-list-of-2019s-worst-password-offenders-300975727.html
SOURCE Dashlane
