Remember that episode of The Office in which an intern said about her summer at Dunder Mifflin Paper Company, “I learned that half of these people’s passwords are ‘password?’”
That punch line was made reality—but at a much more important office. A year-end study by Dashlane, a digital security company, found that “password” is the most popular choice for actual passwords by a group of government officials in the U.K.
Perhaps more embarrassingly, the British government wasn’t the worst password offender of the year.
Monitoring cybersecurity news from thousands of sources globally in 2017, Dashlane kept a running list of companies that were hacked due to weak password protection. Among the top 10 are government entities, large companies and individuals.
Weak passwords, using one password for multiple accounts, and simply a lack of passwords are found to be the most common reasons for cybersecurity breaches.
President Donald Trump tops the list of worst passwords, thanks to a slew of cybersecurity breaches revealed among his staff members as well as cyberattacks on multiple Trump Organization websites.
Several top Trump staff members, including his cybersecurity advisor Rudy Giuliani, were found using weak passwords for multiple accounts. Paul Manafort, a former campaign manager for Trump, was found using “Bond007” as password for several personal accounts, including Dropbox and Adobe. Sean Spicer, the former White House press secretary, even posted what appeared to be one of his passwords on Twitter by accident.
Trump is trailed by Equifax, the U.K. government and the U.S. Department of Defense.
Equifax’s massive data leak in September alone secures the second place on the list. The incident was cited more than 8,000 times on global media, Ryan Merchant, a senior manager of Dashlane, told Observer.
The Defense Department (No. 3) and a GOP data analytics firm (No. 5) leaked sensitive information because they didn’t set passwords for their Amazon web servers, on which they stored the data.
In June, British news site The Times revealed that Russian hackers were selling stolen passwords that belonged to British cabinet ministers, ambassadors and senior police officers. The investigation found that the most popular password for these officials is “password.”
While setting strong passwords enhances the security of your data, having just one might not be enough. “We found that the reuse of passwords is the greatest danger of cybersecurity,” Merchant told Observer.
Merchant said once hackers have captured the password for one account, the danger for contaminating other accounts is high. “It’s easy for hackers to find what other accounts you own. Tools for getting this information can be found with a simple Google search nowadays,” he added.
Merchant encourages businesses and individuals to start using password management tools that store multiple passwords and are accessible by a “master password,” which is often professionally guarded by solution providers.
Here’s the full list of the 10 worst password offenders of 2017:
1) Donald Trump: Multiple Trump Organization websites were hacked. Top staff members were found using simple passwords for multiple accounts.
2) Equifax: The credit-rating agency leaked information of 150 million clients in July.
3) U.K. Government: Personal accounts passwords were stolen by Russian hackers.
4) Department of Defense: Numerous critical files were exposed on a non-password protected Amazon server.
5) Republican Party: A GOP data analytics firms accidentally leaked the personal information of 198 million voters. That’s roughly the entire voting-age population, Dashlane said in a release.
6) Google: An unknown number of user credentials were hacked in a phishing attack in May.
7) HBO: Show episodes and celebrities’ personal information were leaked. The network’s social media accounts were hacked due to the reuse of passwords.
8) Imgur: Roughly 1.7 million user passwords were compromised due to an outdated algorithm that encrypted user information.
9) Paul Manafort: Trump’s former campaign manager used “Bond007” as the password for multiple personal accounts.
10) Sean Spicer: The former White House press secretary may have accidentally posted one of his passwords on Twitter.
