People seem to be showing various degrees of trust in our new president, but here’s a sign that some probably trust him too much: A scan of Insedia’s Pitchfork database of stolen credentials shows lots of users employ “trump,” or a slight variation, as their password.
That’s bad digital hygiene.
With Insedia’s help, I queried the Pitchfork database of 4 billion records for examples of trump being used as a password. (don’t cry ‘partisan hack’ — I looked up “Hillary” and “Clinton” too.) And here’s what I found.
There’s some 15,000 passwords that begin with the word “trump.” About 80 percent of those seem to be related to musical instruments — “trumpetlove,” trumpetplayer,” and just “trumpets” are popular. (Indeed, one of those is used by someone with many accounts where the username is also trumpet). The more careful password creators use something more like “trumpet1” or “Trumpet80.” We can presume that last writer is about 37-years-old.
This is a political password story, however, so moving along — there are 50 account holders who trust defense of their accounts entirely to “trump.” (For obvious reasons, we skipped ‘Donald — but one soul even used “trumpdonald.”) There’s another 700 or so who use trump1 or trump plus another number. I did find a few overtly political examples: yes, “Trump2016,” was a password. So was “trumpforprez.” Slightly more popular was trump$ which, technically, is a better password.
Who picks these Trumpian passwords? There are some tea leaves in the data. You’d expect many yahoo accounts to turn up — after all, millions of Yahoo account records have been stolen and landed in the Insedia database. But there are also a healthy helping of accounts at Mate1.com and Neopets.com. Mate1 is what you’d expect; Neopets is a virtual pet community.
It hard to know what this means, but 162 of the Trump and trumpet passwords are for accounts at VK, which is the Russian Facebook. The password trumpplaza is in that list. Most of those accounts are linked to .ru email addresses. This doesn’t prove anything. In a database this large, some Russians were bound to appear.
We were also bound to find a .mil email address with a username that includes “sexyman” and a Trumpian password.
But what about Trump’s November opponent, Hillary Clinton? It’s a little harder to isolate passwords that nod to the Democratic candidate because both Hillary and Clinton are relatively common names. We did find nearly 9,000 passwords that merely used the word “clinton” — lower case, even. There were another 3,300 that used Hillary or Hilary. Poor choices, all, but not necessarily political choices.
There were three folks who used Hillary2000 as passwords — hard to know precisely what that means, either. The six folks who used Hillary2008 are a bit more obvious. There were no Hillary2016 passwords that we could find.
We did, however, find Hillary hate. A person who used the phrase BobDole as part of his username set “clintonsucks” as the password. It should be noted that while stolen data is added to Pitchfork every day, some of it dates back to database compromises that are a decade old – and the victims may have created the password years before. So, the database lags current events to some degree. You’d have to believe the results of a Trump-Clinton search will be much more dramatic in a few years.
Let’s get this out of the way: Passwords are a terrible way to protect your data. Human beings are terrible at remembering strings of unrelated characters – and certainly not 50 different strings of unrelated characters. It makes sense to pick passwords based on things that are easy to remember, and to base them on something obvious to you. Current events seem a ripe option for this. You might pick your daughter’s high school mascot, or your favorite baseball player, or – as in this case – the news of the day.
It’s easy to imagine there would have been lots of Reagan-based passwords back in the 1980s, perhaps Monica or “the dress” in the 90s, or even hanging chads at the turn of the millennium. These are all worthwhile building blocks. However, it’s important to remember a couple of things: Simply adding a number to an idea – HangingChads1 – might satisfy a password meter, but it won’t do much to stop a hacker. Neither will adding a “shift” character or two, like Monica!!! (which must have been said by a Clinton at some point). Sadly, politics-based passwords have the usual problems.
So, no, ‘donaldtrump’ isn’t going to protect you from Russian hackers.
Follow this story: AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.