NEW YORK — In Mel Brooks’ 1987 spoof “Spaceballs,” there was a recurring joke about the incredibly weak passcode “12345.”
“That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!”
Thirty years later, people are still using incredibly idiotic passwords, even to protect their sensitive data and accounts.
In a massive recent theft of Twitter usernames and passwords involving nearly 33 million customers, “123456” was by far the most commonly used passcode, according to security company LeakedSource. More than 120,000 people whose credentials were hacked had used “123456” as their Twitter password.
That was followed by “123456789,” “qwerty,” “password,” and a host of other easily guessable passwords (including Spaceballs’ “12345”).
LeakedSource revealed Wednesday that a hacker who goes by the moniker Tessa88 stole 32,888,300 Twitter credentials. LeakedSource found the database on an online black market, and Tessa88 was trying to sell it for 10 bitcoins (about $6,000).
Twitter says it is “confident” its systems weren’t breached — it’s more likely that Tessa88 used malware installed on people’s computers to log the usernames and passwords and send them back to the hacker. But Twitter said it is monitoring the list, and working with LeakedSource and working to secure affected customers’ accounts.
Possibly as a result of Tessa88’s heist, several high profile celebrities and business’ Twitter profiles have recently been hacked. The NFL falsely tweeted out Tuesday that Commissioner Roger Goodell had died. Katy Perry’s account started spewing racist speech. Drake, Mark Zuckerberg and even Twitter co-founder Evan Williams were also hacked recently.
Strong passwords are helpful, but they wouldn’t have made much of a difference in this case — if a hacker is logging your keystrokes, it doesn’t matter how strong your password is.
That’s why Twitter and other online services provide two-factor authentication as a security option. With two-factor authentication, you need your password in addition to a code texted to your smartphone in order to log in.