back to article Mark Zuckerberg's Twitter and Pinterest password was 'dadada'

Mark Zuckerberg’s Twitter and Pinterest accounts were hacked over the weekend. The breach apparently happened after the Facebook boss’s login details were exposed via the recent LinkedIn password dump. This implies Zuckerberg reused passwords across multiple sites or perhaps that the format of the password he chose for other …

  1. msknight Silver badge

    Should have changed it to...

    "duhduhduh"

    1. Anonymous Coward
      Anonymous Coward

      Re: Should have changed it to...

      Too difficult for Zuckerberg and his drones to remember.

      1. Anonymous Coward
        Anonymous Coward

        Re: Too difficult for Zuckerberg and his drones to remember.

        Oh yeah, that idiot Zuckerberg and his moronic team who just happen to run one of the most successful internet businesses in the world. Thank God all us clever people know the real way to make a difference is to anonymously post bullshit on the internet.

        I have a massively complex password Zuckerberg, think about that as you're having a Scrooge McDuck swim in your vault of cash this evening!!! You naive fool!

        1. Anonymous Coward
          Anonymous Coward

          Re: Too difficult for Zuckerberg and his drones to remember.

          Sorry, facebook is not an OS, it's not a compiler, it's not a word processor or database. Nor it is a good indexing algorithm like Google search. Facebook is just a stupid application for people in need of showing off, or too luser to have a life. It just happened to become more used than many similar ones because of good PR, media pumping it, and lots of idiots believing it. Actually, to develop something like facebook you need to have a first hand knowledge of how many gullible idiots there are around.

          To become very rich, you don't need to be really clever and skilled. Sometimes, all you need is little ethics, and a lot of luck. There are several examples of "successful business" built on nothing. That's how the world works, sure, good for them, but nobody and nothing will force me to think they are "exceptional" people. They are still morons. Lucky ones, but morons.

          Sure, later he needed to hire some more skilled people to run the infrastructure needed to exploit idiots, but it's not like, say, launching a rocket and then landing it on a barge....

          1. This post has been deleted by its author

          2. Eli le Fey
            Holmes

            Re: Too difficult for Zuckerberg and his drones to remember.

            You are so right. I realize that fb is the cheap, transfat laden generic cheetohs of the net. I am so freaking tired of his political bs, he suffers from Delusions of Adequacy and is now trying to run the political scene. He's not really "one of them" but they gladly take his money. The censorship is getting out of hand, and you absolutely are right about the users (losers) Remember that fb was begun by some pasty faced fratgeeks as a way to bash and harass women who wouldn't got out with them. I am ashamed to admit I use(d) it but since I got blocked again for not being PC (I referred to the rapefugees in Sweden) I realize it's time to delete the account. Thank you for reminding me. I feel like Stan in that South Park episode "You have 0 friends"

        2. William 3 Bronze badge

          Re: Too difficult for Zuckerberg and his drones to remember.

          *ahem*, Zuckerberg is just an extremely lucky person, someone who was in the right place at the right time. He was a third rate programmer then, and probably hasn't touched a line of code in the last 5 years.

          He just a standard frat boy that won the lottery. He setup facebook to get laid remember. He didn't sit down and plan "hey, I'm going to make an international company, anyone interested".

          These days he spends most of his time speaking with accountants, his tax advisor, the board of directors and his legal team to see how to maximise his "product" (ie, you) by lobbying politicians, including being happy to enable censorship for those governments to turn a blind eye to his goings on.

          There was no skill in Facebook, there was no strategic planning, there was no end vision, it was just some egotistical frat boy trying to get laid.

          Try not to rewrite history to those who lived through it, thanks.

          1. Pascal Monett Silver badge

            Extremely lucky - and not bothered one bit about taking other people's code without permission.

            Let's not forget that.

    2. This post has been deleted by its author

    3. PleebSmasher
      Megaphone

      Re: Should have changed it to...

      Or "dadadadada" for a certain song with Snoop Dogg in it.

    4. Stoneshop Silver badge
      Coat

      Re: Should have changed it to...

      "Ichliebdichnichtduliebstmichnicht"

    5. Anonymous Coward
      Anonymous Coward

      Re: Should have changed it to...

      How about.. boofuckingwho? Oh that is my sentiment.

  2. smartypants

    Passwords + humans != security

    No denying it (but feel free to anyway!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Passwords + humans != security

      I'd even go so far as to say:

      Passwords + humans ≠ security

  3. Andytug

    Must be...

    a Kraftwerk fan...

    1. A Non e-mouse Silver badge
      Happy

      Re: Must be...

      Or a Police fan. I wonder if his Facebook password is "DoDoDo"....

      1. John Lilburne

        Re: Must be...

        I wonder if his Facebook password is "DoDoDo".

        More likely "I'llBeWatchingYou"

    2. Steve K Silver badge

      Re: Must be...

      Trio, surely?

    3. Anonymous Coward
      Anonymous Coward

      Re: Must be...

      A Trio fan, surely

      1. Drat

        Re: Must be...

        Funny, I just assumed he was trying to dodge a rocket...

    4. FuzzyWuzzys

      Re: Must be...

      It was Trio, a Flemish group I believe. Wasn't one of their number once a member of Manfred Man?

      1. allthecoolshortnamesweretaken

        Re: Must be...

        What are you, under 40? Seriously...

        Trio - Da Da Da

        Trio - Da Da Da (english version)

        Trio on Wickedpedia

  4. Anonymous Coward
    Anonymous Coward

    Yes, please issue me client certificates...

    ... instead of asking my phone number to track me better across different sites...

  5. Anonymous Coward
    Happy

    Golden Opportunity missed

    Bet on stock crash

    Wait until stock market opens.

    Announce retirement on LinkedIN

    Cash in.

    1. Anonymous Coward
      Anonymous Coward

      Re: Golden Opportunity missed

      Or...

      Do nothing...contact Yahoo...give them the credentials to post a fake buyout message. Increase company value beyond a happy meal.

      Profit.

  6. Hans Neeson-Bumpsadese Silver badge

    Making a hash of things

    It mystifies me why anybody would store a password in a database, regardless of whether or not it's in encrypted form.

    Any time I'm designing a back end that needs to perform authentication, I store a hash of the user's password. When they try to log on, hash what they provide and compare that with the hash in the database.

    If anyone manages to break into or steal the database, all they have is hashes, from which it will be very hard to reverse engineer the password itself.

    1. Kanhef

      Re: Making a hash of things

      If someone steals the database, they don't need to reverse the hashes. They'll just throw a dictionary file at your hashing algorithm and look for matches. Doesn't take too long to brute-force every password up to 6 or 8 characters long as well. This is why you should be salting the passwords before hashing them, and forcing users to have sufficiently long passwords.

      1. Hans Neeson-Bumpsadese Silver badge

        Re: Making a hash of things

        you should be salting the passwords before hashing them, and forcing users to have sufficiently long passwords.

        And I do. I thought that kind of goes without saying, which is why I went without saying it ;-)

    2. Anonymous Coward
      Anonymous Coward

      Re: Making a hash of things

      By your enthusiasm for hashes, I'd guess you still ballsed it up. Don't worry nobody ever gets it right.

      1. Are your hashes upgradable in-place? Are you storing the algorithm and iteration count along with the hash for each user? Could you smoothly upgrade from bcrypt to argon2?

      2. Using a key derivation function? There's zero need to build your own, but if you did are you iterating correctly by feeding the password + hash back though the HMAC?

      3. How is your database setup? A stored procedure which takes a challenge string, and returns a boolean is immune to SQL injections. And you can lock-down the table's permissions to execute only.

    3. Adam 1 Silver badge

      Re: Making a hash of things

      > If anyone manages to break into or steal the database, all they have is hashes, from which it will be very hard to reverse engineer the password itself.

      Before throwing stones here, a consumer grade GPU can compute 18 billion (yes with a B) sha1 hashes per second. Most English dictionaries have between 80 and 500 thousand words for some perspective. Or the hash of every possible 5 character password within a second. Very hard should always be understood in context of available number crunching capabilities.

      But yes, there is a good chance that the passwords were not hashed enough times with sufficient salt.

      It is also a really dumb password and was reused at multiple sites.

  7. Uberseehandel

    if it walks like a duck, and it quacks like a duck.....

    What a relief, he acts as he looks

    1. FuzzyWuzzys
      Facepalm

      Re: if it walks like a duck, and it quacks like a duck.....

      Surely those D's should be F's?!

    2. Mark 85 Silver badge

      Re: if it walks like a duck, and it quacks like a duck.....

      What a relief, he acts as he looks

      Then it should be: "if walks like a twit and it acts like a twit...."

    3. Magani
      Happy

      Re: if it walks like a duck, and it quacks like a duck.....

      Remember,

      Beauty is only skin deep, but

      Stupid goes right to the bone.

  8. Anonymous Coward
    Anonymous Coward

    Still on FriendFace? Duhduhduh

  9. moiety

    "It also serves as a reminder that two-step verification, which LinkedIn supports for all of its users, is not enough in this age of rapidly advancing attacker capability"

    ...alternately, you could try not re-using weak passwords. And wasn't it LinkedIn who got thoroughly pwned with unhashed passwords, or am I thinking of someone else?

    1. lglethal Silver badge
      Go

      Yep you're remembering right (if I'm also remembering right, that is!).

      The LinkedIn breach was from 2012 and they were unhashed (or very weakly hashed) passwords. Ok so he reused passwords, most of us do that on throwaway accounts, big deal. However, the claims that two factor authentication is borked, and using this as an example is total bollocks, this has nothing to do with two factor authentication, this is all to do with very poor database security and the re-using of old passwords on throwaway accounts. (I'm assuming throwaway since from what I read elsewhere Zucks pinterest account had 30 photos on it. Yep sounds like he's using that a lot, doesn't it... )

  10. Anonymous Coward
    Anonymous Coward

    DADADA

    Sounds like someone's been watching Russian porn :P

    1. Ralph B

      Re: DADADA

      More likely he's a fan of the 80's German band Trio.

      Meanwhile, in case you're interested, I'm in favour of making social networks so secure that no-one can use them any more.

      1. Anonymous Coward
        Anonymous Coward

        Re: DADADA

        > More likely he's a fan of the 80's German band Trio.

        That makes sense for Zuck since the lyrics continue "I don't love you, you don't love me".

  11. Paul Woodhouse

    I rather suspect that he didn't place all that much importance on his twitter and pinterest accounts and just used a throwaway password on them.

    1. Paul

      or he has a social media personal assistant who is charged with setting up accounts for him on any new services that get created, and that PA creates accounts with easy to use passwords and Zuck is meant to login and set them to something strong.

      1. Anonymous Coward
        Anonymous Coward

        Probably he has the average social media personal assistant who's been hired because he/she looks good, talks well, and can serve a good coffee if required. He/she can also type some carefully crafted sentences, sometimes written by some upper "entity", using some "media outlet" she/he has been told to use.

        Proper security mindset is, of course, not required nor any training has been provided.

        Why should Zuck spend time logging in? He has to annoy even astronauts who believed they were far enough from facebook....

    2. Stoneshop Silver badge
      Holmes

      Zuckerberg on privacy

      "Privacy is no longer a social norm", and in this case he's putting his money info where his mouth is.

      Doesn't mesh with spending 100 million to protect his privacy though. Quod licet Jovi non licet bovi, apparently.

    3. Cedders

      > I rather suspect that he didn't place all that much importance on his twitter and pinterest accounts and just used a throwaway password on them.

      I would have thought it was a deliberate statement about Zuckerberg's trust of and belief in the worth and security of rival services.

  12. Joseph Haig

    Really?

    I don't doubt that Zuckerberg's accounts have been hacked but is there any independent confirmation that the password was 'dadada' and that wasn't just a joke? Everyone appears to be blindly accepting something someone posted on social media (and how well that has worked in the past) but it does seem a little unlikely.

    1. BasicChimpTheory

      Re: Really?

      @Joseph Haig

      I'd imagine that a strongly-worded denial would have accompanied the existing emission from Facilebook if that were the case.

      That might just be me, though.

  13. steoleary

    Re-Secured?

    "The affected accounts have been re-secured" - With passwords like that, I don't think they really counted as being secure in the first place.

    1. Alumoi
      Pint

      Re: Re-Secured?

      Bet you a pint they just added another da?

      1. Naselus

        Re: Re-Secured?

        "Bet you a pint they just added another da?"

        That's why you're not a supergenius like Zuck. He knows that the best way to REALLY increase security is putting a 1 on the end instead.

        1. BuckeyeB
          Thumb Up

          Re: Re-Secured?

          and a 1! suffix to REEEEELY secure it.

      2. Havin_it
        Pint

        Re: Re-Secured?

        Waitaminute, surely it's cheaper than a pint to test your hypothesis...

        >clickety-click<

        ...Ooh, you crafty bugger. You've cracked it, changed the password, and are going to change it back to "dadadada" just in time for whoever's adjudicating to check it. Veeeery clever. You can have this one on the house.

      3. Adam 1 Silver badge

        Re: Re-Secured?

        > Bet you a pint they just added another da?

        Nope, changed all the a's to @.

  14. PaulR79

    Alleged "hack"

    "A previously unknown prankster hacking group called Ourmine boasted about the alleged hacks, The hackers claimed that they found his password – dadada – in the LinkedIn dump."

    Surely finding a password using CTRL + F and then using it does not equate to hacking.

    1. Anonymous Coward
      Anonymous Coward

      does not equate to hacking

      It does if you write a super l33t script to automate it

    2. Seajay#

      Re: Alleged "hack"

      IANAL but I'm fairly confident the law would call it hacking (or equivalent naughtiness under the computer missuse act)

      1. Stoneshop Silver badge

        Re: Alleged "hack"

        the computer missuse act

        That's young women using a computer? Didn't know there was law regarding that.

        And IMO using Facebork qualifies as computer misuse anyway.

        1. DropBear Silver badge
          Joke

          Re: Alleged "hack"

          That's not only sexist but also plain wrong. It is in fact the act of botching a SUSE install...

  15. Seajay#

    Password strength lesson

    It's important to remember that he was hacked not because someone managed to brute force his weak password but because he reused that password. A password of "dadada" for LinkedIn is fine, so long as you don't also use it for your twitter account.

    Password re-use is worse than weak passwords.

    1. Havin_it

      Re: Password strength lesson

      >Password re-use is worse than weak passwords.

      Weeeeel, it *shouldn't* be, ideally salts and other techniques discussed above should be used so the stored hashes would never be the same from one site to the next. But if they all just blindly do sha1($pw) then of course it's a problem.

      1. bish

        Re: Password strength lesson

        How do salts and stored hashes protect against reused passes? I get LinkedIn's db, and find that they've only stores Zuck's hash and salt. Given he's not just any ordinary target but (a) an internationally recognisable figure with rather a lot of influence, and (b) someone who's (as of now) been known to reuse passwords, I decide he's a good target. I plug the salt into my script and bruteforce until I get a hash that matches. Huh, it's "dadada". Now I head over to a bunch of other sites and try dadada out. The salting and hashing has only protected the majority of users, because it's a PITA (and slow) to bruteforce all those salty hashes, but it hasn't actually added any (meaningful) extra protection to any individual login, and does nothing to mitigate idiot users keeping the same password for everything. Like the OP said, password reuse IS worse than weak passwords. If you find out my password for this site is 1234*, it doesn't matter too much for me since you can't use that pass to gain access to anything else of mine, and I only need to change one password to fix the breach.

        NB: I accept I may be wrong or missing something here, so do let me know if that's the case. I also appreciate that I've made quite light of bruteforcing a salted hash, but a six lowercase letter password, containing only two characters, really isn't going to pose that much of a problem. My point is, if someone set out to target Zuck and the LinkedIn db had been salted and hashed, it wouldn't have made that much difference.

        *[changes password]

  16. TeeCee Gold badge
    WTF?

    Concern?

    Reports that Facebook founder Mark Zuckerberg’s social media accounts have been hacked should concern us all.

    Well it made me laugh like a drain.......does that count?

  17. F. Svenson

    Wait.... How does this prove 2-factor has a problem?

    The comment about 2-Factor doesn't make any sense. How does a weak password, a hack of linked-in, any of that reflect on 2-Factor back to a mobile phone?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wait.... How does this prove 2-factor has a problem?

      They want your mobile number. Hence the password is dead meme.

      1. Havin_it
        Black Helicopters

        Re: Wait.... How does this prove 2-factor has a problem?

        My thoughts exactly, AC. It's just a bit too bloody convenient otherwise, especially on the same day FB announce they're nobbling mobile-browser access to FB messaging and expecting everybody to use the app instead...

        They already have my number thanks to my nearest'n'dearest using FB/WhatsApp on *their* phones (cheers, y'all) but damned if I'm handing it over directly.

  18. Grunchy

    Twitter and pinterest and facebook? People still use those?

    Huh.

  19. PassiveSmoking

    That's the same combination as I have on my luggage!

    Set a course for Druidia, and change the combination on my luggage!

  20. BurnT'offering

    Two rentaquotes

    "Blah blah blah .... buy my product"

  21. Halcin
    Mushroom

    Err?

    All the comments so far have criticised/complained about users password choice.

    Who are the experts?

    A: LinkedIn IT staff

    B: users

    Who are responsible for ensuring the information stored on LinkedIn systems remain secure?

    A: LinkedIn IT staff

    B: users

    Who's system was breached allowing the account details of 117 million people walk out the door?

    A: LinkedIn

    B: users

    Hint: http://www.theregister.co.uk/2016/05/19/linkedin_breach/

    If you're working for/managing a company that insists on collecting a treasure trove of personal information make damn sure you keep it secure or do not collect it. No excuses.

  22. inmypjs Silver badge

    "'Idiotic' doesn't even come close"

    That bad huh?

    Ok

    short - not good

    combination of dad and ada - not good

    Position 5346 in the top 10,000 list of password - terrible and to me a bit surprising.

    To me the password I often use for sites I don't care at all about seems much more obvious yet isn't in the top 10,000 and is definitely in a dictionary unlike dadada.

  23. Cynic_999 Silver badge

    So what?

    I use a single insecure and easy-to remember password on all sites where a hacker can do little or no damage. Such as this site, for example, where the worst consequence will be that someone posts an embarrassing comment under my nym or signs me up to a load of spam directed to one of my throwaway email accounts. Which would be a minor irritation that would cost me not a second of lost sleep. Logins to sites where a breach could cause me real damage are unique and more secure. Also note that a brute-force attack on "dadada" would likely take just as long as a brute force attack on any other 6 character password.

    1. myhandler

      Re: So what?

      @cynic999:

      " So what? I use a single insecure and easy-to remember password on all sites where a hacker can do little or no damage. "

      but, but but.. someone could have logged in as Mark Z on Linked In and said "Facebook sucks, you morons" and a collapse of Gerald Ronson-esque size could ensue.

      What a golden opportunity squandered.

    2. John 104

      Re: So what?

      The so what is that this is the CEO of a company whose service millions use. If he can't take securing his own accounts seriously, how serious is he going to be about securing your information on the service that he created?

      1. Mark 85 Silver badge

        Re: So what?

        Go back to his interviews early on... he has no regard for anyone else's privacy other than his own. He did just buy a bunch of property around his house to ensure this.

  24. NomNomNom

    dadada2

  25. Mike 16 Silver badge

    More likely refers to

    https://www.youtube.com/watch?v=QtrmeorJdfc

    (Gates and Balmer in am "homage" to Trio, with a Sun workstation playing the other role)

  26. Mike 16 Silver badge

    As for username and password,

    using them alone is more secure than

    Username + Password + "password reset" secret questions that can be sussed out with a few minutes on LinkedIn or Ancestry.com. Or alternatively one can be clever enough to lie, which means one is probably writing them down somewhere because remembering the right wrong answer for my place of birth or mother's maiden name is a chore, if they change on every site, as my username and password do.

    Reusing a password (especially a simple one) is the user's fault. Mandating a larger attack surface is the site's fault. Also, how do I change my fingerprints once "Only Outlaws can buy Gummy Bears".

    1. Ben Tasker Silver badge

      Re: As for username and password,

      Personally, I don't know the answer to any of my secret questions. I generate a random string and paste that in.

      Passwords are in a manager so the questions shouldnt ever be needed, and if they are Ive bigger things to worry about.

      Does mean it's a right shit when a site suddenly updates login to include "enter character 6 of the answer to your security question" though.

      1. bish

        Re: As for username and password,

        Oh feck yes, this. "Security Questions" seemed utterly dumb to me back in the 90s, so I'd just mash keys for a minute and move on. Lost a few sweet usernames on decent sites when they then started requiring answers after suspicious login attempts.

  27. Naughtyhorse

    Because twitter and pintrest is where he keeps all his money?

  28. zen1

    I'm sorry, but...

    I wouldn't be able to forgive myself if I didn't respond with the following:

    Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha

    Thank you for allowing me to get that off my chest. Carry on,

  29. Version 1.0 Silver badge

    throw away password

    I wonder what other accounts he used the same password for?

    Who does he bank with (just kidding ...)

  30. NormB

    What's that old saying? "Don't attribute to evil what can more easily be explained by stupidity." Never heard it? Okay, I just made it up. Fits.

  31. 4til7

    Apparently the Zuckerberg is a VW fan:

    https://www.youtube.com/watch?v=5_s5-R_JE4c

    Clearly a fully Regerific article would ask it it was one of the characters and the tagline. Or perhaps he's just always felt like the little white skeleton being manipulated by others while fearing his the stinky chair that everyone wants to dump.

  32. EddieElche

    dadada is I believe (without bothering to google it) a hex colour code for a particular shade of grey!

    Seems as though Mark Z is playing a private joke on the internet.

  33. BuckeyeB

    I do use one password for all the crappy sites that require you to create a user account just to read a forum or blog. I use a stronger password for any "real" sites I use. I use a unique 12+ character password with 2-factor authentication for each bank I have an account with. I use my "hardest" password for my personal email. Personally, I think that your personal email should be the most secure password/account you own. Don't agree? Is it just email? NO. Practically any site that has a reset protocol requires that it sends a password link or code to your email. If that is compromised, your bank may well be too.

    Give me your home email + your public facebook info(ie pet's name, child's name, highschool attended, etc and someone can get into your bank with the "Forgot Password" link. Make that the most secure.

    Get it yet?

    Brian

  34. Michael Wojcik Silver badge

    more 2FA nonsense

    where users need to use a code submitted to a pre-registered mobile phone

    Screw that. No, websites, you may not have my phone number. No, you may not send me SMS messages. No, I don't always have my phone with me; it does not always have service (like, for example, inside my vacation home); it is not always charged or on.

    Mobile phones are a lousy choice for 2FA. They have far too many failure modes.

    Dedicated tokens avoid some of those issues, but they're still inconvenient, can be lost or stolen (particularly an issue with e.g. RSA SecureID tokens, less so with smartcards), and are often tied to a single authenticator.

    Passwords are an abysmal authentication mechanism. We've known that for decades. But the industry has not done a good job of coming up with anything better. It can't be solved without some additional cost to the user, but we haven't gotten anywhere close to optimizing that cost.

  35. happinessinajlove

    theregister.co.uk

    Jesus Christ. You better have some respect, talking about your friends across the water. You're talking about one of our greatest leaders now Mark Zuckerberg.

    Mind your own fucking business. I am not kidding.

    Princetastic, Mark is a real live Hand of God / King you don't think so?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019