It turns out Kanye West, Nutella and Texas all have something in common: they’re terrible with passwords.
Password managing app Dashlane released its annual list of the “Worst Password Offenders” on Wednesday. This year’s list includes high-profile names and organizations like Google, White House staff and the Pentagon.
“Passwords are the first line of defense against cyberattacks,” Dashlane CEO Emmanuel Schalit said in a release. “Weak passwords, reused passwords, and poor organizational password management can easily put sensitive information as risk.”
The average internet user has more than 200 accounts requiring a password, Dashlane said. The company expects that number to double in the next five years, meaning everyone could be at risk of repeating the same mistakes as the password offenders, Schalit said.
Here are Dashlane’s top 10 password offenders for 2018, starting with the worst:
- Kanye West: During an October meeting with president Donald Trump, Kanye West and unlocked it using the not-so-clever passcode 000000. That’s probably not the most secure combination, and it doesn’t help that he unlocked the phone in front of several cameras.
- The Pentagon: You may be surprised (and perhaps disappointed) to see the Pentagon on this list. An audit by the Government Accountability Office released in October found several vulnerabilities in the Pentagon’s systems. For example, the audit team was able to guess admin passwords in nine seconds.
- Cryptocurrency owners: Apparently, people who own cryptocurrency had a hard time remembering the passwords to their digital wallets.
- Nutella: Maybe don’t take password advice from a company that makes hazelnut spread? Nutella came under fire on World Password Day after encouraging its Twitter followers to .
- UK Law Firms: Researchers found that more than one million corporate email and password combinations from 500 UK law firms were available on the dark web.
- Texas: More than 14 million voter records with personal information were found on a server that wasn’t password protected.
- White House Staff: A staffer wrote his email login and password on official White House stationery, then accidentally left it at a bus stop. Oops.
- Google: Yes, even Google made it onto the list. An engineering student from Kerala, India, hacked one of the company’s pages and accessed a TV broadcast satellite. To log in to the Google admin pages from his phone, he simply used a blank username and password.
- United Nations: UN staff using Trello, Jira, and Google Docs forgot to password-protect some of their documents. That gave anyone with the right link access to secret plans, international communications and plaintext passwords.
- University of Cambridge: A plaintext password was left on GitHub, allowing anyone access to the data of millions of people who were being studied by the university’s researchers. That data was pulled from a Facebook quiz app called myPersonality.