We’ve covered a lot of password security tips and ways to secure your credentials over on our blog The Lockdown. This year, on World Password Day, we thought we’d do things a bit differently and share some of the worst password fails this past year. While these organizations and individuals may not appreciate the extra attention, these password fails all drive awareness and serve as a reminder to improve your own password security. Without further ado, let’s see our top contenders.
Facebook’s Million-Plain-Text-Passwords-Exposed Face Plant
Facebook announced earlier this year that they found 200 to 600 million Facebook account passwords dating back to 2012 exposed in plain text and available to more than 20,000 Facebook employees. Our CTO covers the full story here.
Nutella’s Sweet Mistake
Last year Nutella celebrated World Password Day on Twitter with the worst advice possible, “Choose a word that’s already in your heart.”
Twitter users weren’t impressed and took to the comment sections to share their thoughts:
Elsevier Exposed
What was described by Motherboard as a “rolling list of passwords”, a leader in analytics and science Elsevier, left a server openly accessible from the internet. A researcher saw the list of Elsevier passwords and contacted Elsevier immediately. They then responded by stating that the issue was resolved and were still investigating but that “it appears that a server was misconfigured due to human error.”
Lights Out for LIFX Smart Bulbs
Earlier this year, hacker “LimitedResults” shared how smart LIFX light bulbs can be used to expose anything from Wi-Fi passwords to root certificates. LimitedResults purchased a bulb and downloaded the accompanying app on his Android device where he proceeded to set up his Wi-Fi connection. Once linked, he took apart the bulb using a saw to expose the hardware within. Once inside, he found the ESP32D0WDQ6 system-on-chip (SoC) and fused the board to connect the LIFX hardware. Once connected, he was able to see the plain text Wi-Fi passwords within the SoC’s memory.
Reddit, Wikipedia, and Amazon Still Encourage Poor Passwords
You’d think these tech giants would be at the forefront of cyber security but unfortunately, a research project at the University of Plymouth has monitored their password security habits for the last 11 years and revealed they are still accepting poor passwords. This is incredibly alarming as it perpetuates the use of weak passwords. Nearly every common password was accepted, which included “repeats of the username, the user’s own name and, of course, the all-time classic, ‘password’.'”
A 3 Year Old’s 50 Year Password Mistake
Imagine walking up to your iPad to find your toddler has locked you out of your device for 25,536,442 minutes. This became a reality for Evan Osnos this year when he discovered his toddler had repeatedly attempted to unlock his iPad.
His post received a lot of attention and some password humor:
Eventually, Evan was able to log back in but only after completely wiping his iPad.
Are you updating your password right now? This isn’t a problem you can afford to ignore. Take the time to create a complex, unique string of characters for each account, set up 2-factor authentication, and get a password manager to protect your accounts! Need more proof, here’s how quickly cyber criminals can crack your password using dictionary searches and brute-force attacks.
This World Password Day 2019 let’s hope there will be one less “password fail” to learn from. Let these lessons be a wake-up call for you to update your own password practices. Do you have any password fail stories or password jokes? Share them in the comments below.
Join us tomorrow to celebrate World Password Day 2019 with our password cracking webinar and contest launch!
![\"_The_worst_password_security_advice_fails-01.png\"](\"https://us1.discourse-cdn.com/spiceworks/original/4X/0/6/1/061de234dbfba9ad8bbc95188752cb00e565fe1b.png\")