Password offenders: Who’s the naughtiest of them all?

In 2021, we’re celebrating the 60th anniversary of the computer password’s invention, but it also marks the year of some of the worst password mishaps this century. To honor the milestone, Dashlane announced its 2021 Worst Password Offenders list.

2021 worst password offenders

After the events of the past year-plus forced us to live our lives online, we may have expected that both companies and users alike would have sharpened their security skills to better control fraudulent activity and avoid breaches.

“If companies don’t start implementing positive password practice across their organization, the breaches are only going to get bigger and more dreadful,” said JD Sherman, CEO of Dashlane.

“If your company were a car, you wouldn’t step away without rolling up the windows and locking the doors. Yet, computer users seem to be leaving cars running and keys in the ignition.”

2021 Worst Password Offenders

SolarWinds, COMB and Verkada all received a shoutout in the mid-year worst password award list, but a list of the worst password misfortunes wouldn’t be complete without these very unfortunate password leaks. Allow us to remind you:

SolarWinds: In February 2021, both current and former SolarWinds execs blamed an intern for using the entirely-all-too-insecure password solarwinds123, which was leaked online. We’d make a comment here, but Rep. Katie Porter said it best: “I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad.”

COMB: As cryptocurrency soared, bitcoin users were locked out of both their wallets and potential fortunes due to forgotten passwords. Listen, people—Post-its get lost, built-in browser storage doesn’t work everywhere, and you shouldn’t leave the keys to your online kingdom up to memory. Password managers are the most secure, universal solution, not to mention a lifesaver in instances like these.

Verkada: After an international hacker collective breached its systems with a username and password found on the internet, they accessed Verkada customer cameras, which ranged from the Technoking of Tesla’s factories and warehouses to Equinox gyms, hospitals, jails, and schools. It’s unlikely Musk will mock this in his upcoming SNL monologue—avoidable data breaches are no laughing matter.

And the list continues…

RockYou2021: We will, we will rock you—or hack you. We like to call this one the Queen of all password leaks. A forum user posted a massive 100 GB TXT file that contained 8.4 billion passwords.

Facebook: Or Meta? We’re not sure what to call it, but what we do know is that 2021 has not been the year for them. 533 million Facebook users were exposed in this data breach. Keep them coming, Facebook—the way data is handled by you continues to be a juicy topic of conversation at every dinner party.

Ticketmaster: Master of tickets but definitely not master of passwords. Employees utilized unlawfully obtained passwords to hack a rival company’s computer systems. During a year where people were avoiding coughs, the ticket sales and distribution company coughed up a $10 million fine from the hack.

GoDaddy/WordPress: GoDaddy domain-ates the internet, but it does not dominate password security. In 2021, the data of up to 1.2 million of its customers was exposed after hackers gained access to the company’s managed WordPress hosting environment.

ActMobile Networks: Does the “p” in VPN stand for public or private? ActMobile Networks, which operates several VPN brands, continues to deny the compromise of 45 million user records that included email addresses, encrypted passwords, full name and username; 281 million user device records including IP address, county code, device and user ID; and 6 million purchase records including the product purchased and receipts. Pop quiz: How many credentials were stolen from user accounts on’s website? The answer is 8.3 million. The attackers exfiltrated the site’s database, which was then offered for sale on underground forums and Telegram channels. The database contents include plaintext passwords, emails, and IP addresses. The population of New York City is 8.4 million. We’ll let that sit with you for a bit.

New York City Law Department: While many believe New York City handled COVID-19 well, the same doesn’t go for the city’s law department handling their online credentials. New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, the identities of young children charged with serious crimes, plaintiffs’ medical records and personal data for thousands of city employees. But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network in June was one worker’s stolen email password.

The 2021 Worst Password Offenders list serves as an annual reminder of how easy it is to make an internet faux pas, even when we think we’re protected. Data from Verizon’s 2021 Breach Investigations Report shows that the average cost of a data breach is $4.24 million and that 80% of breaches are caused by weak, reused and stolen employee passwords.

Practical advice to help businesses keep their employees from taking the bait

  • Create a culture of security where employees understand their roles in protecting your company’s data and IT resources, are active participants in ongoing security conversations, and have the tools they need to maintain good security habits without impeding their work.
  • Train employees how to identify and report suspected security incidents and threats. Consider creating a special email or channel for them to reach out to.
  • Adopt technology such as endpoint security, password managers, and email security.
  • Measure your program’s effectiveness. Some password managers include a password health feature that tracks your company-wide password security scores over time.
  • Stay vigilant. Utilize tools that help evaluate the effectiveness of your organization’s security for free.

Don't miss