Password management firm Dashlane has published a list of what it believes are the top ten password offenders for 2017. It comprises six ‘government’ entries (including the President of the United States and the entire UK Government), and four organizations. Topping the list is Donald Trump, joined by Paul Manafort at #9 and Sean Spicer at #10.
To be fair, it is as much Trump the administration as it is Trump the person that is being called out. Dashlane points to a Channel 4 News investigation in January 2017 that said “Passwords used by Donald Trump’s incoming cyber security advisor Rudy Giuliani and 13 other top staff members have been leaked in mass hacks.”
In reality, the majority of people have had at least one password exposed by the many mass hacks that have plagued the internet this decade, so the biggest problem is not whether a password appears in the dark web listings, but whether it is still being used by the user of that password. Dashlane comments, “many of the top staff members Trump handpicked, including multiple cabinet secretaries, senior policy directors — even cybersecurity advisor Rudy Giuliani — were reusing insecure, simple passwords.”
Paul Manafort, who was indicted in October by a federal grand jury as part of Robert Mueller’s investigation into the Trump campaign, had been using ‘Bond007’ as his password for multiple personal accounts, including Dropbox and Adobe. Sean Spicer makes the list at #10 because, says Dashlane, “the former Press Secretary sent numerous Tweets of what appeared to be his very own passwords.”
While the Democratic Party experienced several cybersecurity incidents last year, other U.S. government entities that made Dashlane’s 2017 list include the Department of Defense (DOD at #4) and the Republican Party (at #5). For the DOD, Dashlane comments, “Defense contractor Booz Allen Hamilton left the Pentagon severely exposed by leaving critical files on a non-password protected Amazon server. Included in the exposed data were several unencrypted passwords that could have been used to access classified D.O.D. information.”
The Republican Party is included for a similar reason: the exposure of sensitive data (by one of its analytics firms) of 198 million U.S. voters on an unprotected Amazon server.
Related: Clinton Email Server Vulnerable for 3 Months
It’s not just U.S. political entities in the list, however. Coming in at #3 is the entire ‘UK Government’. In March, the National Cyber Security Center (NCSC) chief executive Ciaran Martin wrote to political parties warning, “This is not just about the network security of political parties’ own systems. Attacks against our democratic processes go beyond this and can include attacks on Parliament, constituency offices, think tanks and pressure groups and individuals’ email accounts.”
In June, the Times reported, “Passwords belonging to British cabinet ministers, ambassadors and senior police officers have been traded online by Russian hackers, an investigation by The Times has found.” Again, the lists of passwords were probably aggregated from numerous earlier mass hacks — but disturbingly, the most common password was ‘password’.
Following these events it would be logical for members of parliament and IT administrators to have tightened password management. But in early December, several members tweeted that they routinely share their work computer password with staff, including interns http://www.securityweek.com/uk-members-parliament-share-passwords-staff .
Four commercial organizations make Dashlane’s worst offenders list: Equifax (#2), Google (#6), HBO (#7) and Imgur (#8). Equifax is included not because of its loss of the personal details of 145.5 million people (basically a patching issue http://www.securityweek.com/equifax-confirms-apache-struts-flaw-used-hack rather than a password issue), but because of what appears to be a generally lax attitude towards password hygiene. A smaller and less well known Equifax breach this year occurred — in Equifax’s own disclosure letter to the Attorney General of New Hampshire — because “unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ PINs (i.e., the password to access the online portal).”
Compounding this, researchers discovered that an Equifax server in Argentina was protected by ‘admin/admin’. Anyone guessing these credentials would be able to access the server and find and modify employees’ user accounts. Obscured, but not encrypted, the user’s credentials were a plain text user name with a password comprising the user’s surname.
Google makes the list because of the May phishing attack http://www.securityweek.com/google-tightens-oauth-rules-combat-phishing that compromised an unknown number of Google users’ login credentials.
HBO http://www.securityweek.com/hbo-hackers-demand-millions-ransom-note is included because following a series of hacks and breaches in 2017, “employees came forward with reports of terrible cybersecurity practices, including the reuse of passwords for personal and work accounts.” One stolen and leaked Word document actually contains the personal email address and passwords of an HBO SVP.
Imgur is included because of a breach that occurred in 2014 but was only discovered this year. “The company admitted that at the time of the hack it was using an outdated algorithm to encrypt its users’ passwords,” explains Dashlane. “Although it updated its encryption last year, the damage was already done as 1.7 million user passwords were potentially compromised.”
What is clear from this list is that despite all of the warnings and breaches, people and organizations who should be setting an example for everyone else are still demonstrating very poor password hygiene for both themselves and their users. Multi-factor authentication wherever possible will certainly help users protect themselves; but the first and primary line of defense is to use and never reuse very strong unique passwords — and to hope that the service that requires them will never store them in plaintext.