Mark Zuckerberg Was Hacked Because Passwords Are Hard

Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts were recently compromised, likely as a result of a mass LinkedIn password hack. (If you have not already done so, go change your LinkedIn password.) The fact that Zuckerberg can fall victim to a security breach is not a surprise. What is a surprise is how bad his password was: according to the hackers, his password was “dadada.”

As in, “Da Da Da.”

It’s a comically bad password. It doesn’t have special characters or numbers. It doesn’t even have an uppercase letter. It’s only two letters, just repeated. It’s very, very bad.

Neither Zuckerberg nor Facebook have commented on the hack or confirmed the password, but if this is indeed accurate, “dadada” eludes nearly every characteristic of a strong password. The hack also would suggest he used the same password his Pinterest and Twitter accounts, another failing. “This is another perfect example of how humans — even those in the tech field — are inherently bad at making passwords,” says LastPass CEO and cofounder Joe Siegrist. “I cannot stress enough the importance of creating unique passwords for every account. If you’re not doing this, you’re doing it wrong.”

Zuckerberg is hardly alone. Our overabundance of logins has made keeping track of passwords a painful endeavor, even with the help of apps like LastPass and 1Password. (Because, you know, you need to have the passwords for those apps, or else you can get locked out of all your accounts entirely. I speak from experience.) “I think the most interesting thing here is how ‘Man Reuses Password on Multiple Sites’ is a headline,” says Troy Hunt, a Microsoft regional director. “It sounds like Zuck has essentially just done what so many others do, but of course in his position, it becomes a very newsworthy event.”

Making fun of Zuckerberg for his password faux pas is low-hanging fruit, but what actually qualifies as “good” password behavior might be changing. According to the Federal Trade Commission, mandatory password changes, for example, could be part of the problem, not the solution.

“There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily,” writes Lorrie Cranor, FTC chief technologist. “Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)” Translation: Even if something like the LinkedIn-password dump happens and you change your password as advised, it might not help if you aren’t (a) changing it often enough, (b) changing the passwords on all accounts using the same password or a variation of it, (c) changing those respective passwords enough, and (d) ensuring that the original, potentially hacked account didn’t include access to other apps/accounts that could then be compromised. And if it did, follow this cascading waterfall of password hell again. Then repeat when yet another service is undoubtedly hacked next week.

“Forcing password changes often can paradoxically lead to poor password habits as users have to deal with being forced to make a system that is memorable,” says Siegrist, noting that a tool like LastPass can both create a complex password for you and remember various logins (just don’t lose that master password, trust me). He also notes that despite such warnings, it doesn’t appear that sites are going to be making this process less difficult. “It does create friction for account registration,” he notes, but says lowering security isn’t exactly a better option.

Making matters more complicated is that in a paper titled Validating an Agent-Based Model of Human Password Behavior, researchers found the truth about password strength and what we think don’t really match. Essentially, users wildly underestimate how bad their passwords are. One interesting idea the group wants to study further, though, is if it’s not just ignorance on our part — maybe it’s ambivalence. “If she [the user] hears about attacks on a regular basis, would she become indifferent toward password security as she perceives it to be out of her control?” the authors of the study wonder.

Is it just too hard to create a good password? Maybe. It’s certainly starting to feel like it, especially when even Mark Zuckerberg is unable to thwart hackers. According to identity-management service Gigya, a recent survey showed 26 percent of respondents had an online account compromised within the last year.

That same survey also revealed that barriers to password creation or logging in caused users to abandon websites — if a new site makes it too hard to create a secure password, users are likely to give up and stop using the service altogether. Obviously that’s bad news for that brand, so there’s less motivation to promote password security. Thus, the cycle continues.

So what’s the solution? There’s the biometric answer, meaning data from fingerprints and eye-scanning will unlock accounts, but there are ample barriers — both technological and regulatory — before such applications are rolled out en masse. There are solutions like 4-D password authentication, which would use real-world acts to unlock an account (e.g., a gesture made with your hands after typing in a password).

But such solutions are still very much in the R&D phase; sure, you can use fingerprint unlock for a handful of apps, but you still need to know that string of characters you created to get into your email. For now, we’re solidly stuck in keyboard territory. When I asked Hunt if Zuckerberg’s mistake hinted we were reaching a tipping point with the current state of passwords, he told me sadly, we are not. “A tipping point would imply that something will change, but I don’t think that’s the case,” he says. “There’s no evidence that anything will change anytime soon.”