Mark Zuckerberg suffered a major breach of privacy on June 5 when hackers gained access to his personal social media accounts. 

Many people criticized the Facebook CEO’s simple password — “dadada” — as well as the fact he reused the same password across multiple services. 

While Zuckerberg’s choices may not follow experts’ recommended security practices, they reflect the norms of cybersecurity more than an extreme case of negligence. If anything, the revelation should prompt the general public and businesses to take a look in the mirror and evaluate their own cybersecurity hygiene. 

Suffice it to say, Mark Zuckerberg isn’t alone in his poor password choices. 

Most Common Passwords Are Terrible

Analysis of 11 million passwords shows that “dadada” is actually par for the course. A look at the top five most popular passwords shows “123456,” “12345” and “1234” making the list. 

top 20 common passwords

People Use Many of the Same Passwords

These 20 passwords constitute 10.3 percent of all passwords in use. That means with fewer than 20 tries, anyone could login to roughly one out of 10 accounts today. The top password,“123456,” compromises 4.1 percent of all passwords. “Dadada” starts to look tough in comparison.

Nearly One Third of People Reuse Passwords

Mark Zuckerberg reportedly used the same password for his LinkedIn, Twitter and Pinterest accounts, which the hackers reportedly found online following the 2012 LinkedIn breach. In other words, one leaked password led to three hacked accounts. 

Research from University of Cambridge professor Joseph Bonneau indicates 31 percent of people reuse passwords for multiple services. A third of internet users could fall victim to the same fate as Zuckerberg. And consider this: the average person uses 28 distinct cloud services today — and that number shows no signs of going down.

There’s More at Stake than Tweets

Hacking social media accounts can damage reputation, but at least no sensitive information was lost. People upload much more than to-do lists and vacation photos to cloud applications. 

Thirty-four percent of employees upload sensitive data including personally identifiable information (e.g. Social Security numbers, home addresses), health information (e.g. patient records), or payment card data to file sharing apps. Twenty-one percent of all files in file-sharing services contain sensitive data. 

If a hacker can steal a password, chances are high they can access some form of sensitive information. 

Cloud Services Add to the Problem

The average internet user may not be aware of the substantial threats to weak security practices. The service provider carries some of the responsibility to educate users on how to protect themselves. 

Yet out of over 12,000 cloud services on the market, only 6.5 percent require strong passwords with a combination of upper-case letters, lower-case letters, numbers and symbols. Another 13.6 percent require moderate passwords, and the vast majority — 79.9 percent — allow weak passwords that are the most vulnerable to compromise.  

password strength

Turn on Multi-Factor Authentication (When Possible)

Static passwords have proven to be a point of failure in a number of personal and company-wide data breaches. If we are to learn anything from these failures, it’s that good security and multi-factor authentication go hand in hand. 

Application service providers lag behind on this crucial feature. Today, only 15.4 percent of cloud services offer multi-factor authentication. 

Hackers Can Steal Even the Most Secure Password

At the end of the day, a password only provides one line of defense in the fight to keep data safe online — and it is a battle. A weak password certainly makes it easier for hackers to gain access to your information, but to keep data safe you need to practice overall solid security hygiene. 

Using multi-factor authentication, updating old software and looking out for phishing attempts all go a long way to keeping safe online. The hacker who broke into the controversial software company Hacking Team admitted that he only shared his victim’s weak password online as a red herring, since he had infiltrated the company so thoroughly that his key logger could have stolen any password. 

Title image "laughs" (CC BY-SA 2.0) by  marc kjerland