20.5k unique visitors in the last 3 days

When Netflix Shared the Worst Password Advice Ever

Netflix wants customers in Chile, Costa Rica and Peru to pay more if their accounts are being accessed by multiple households, but they used to openly encourage the sharing of passwords.

The proliferation of internet-based services now means a lot of people offer advice about passwords. Some of it is good, such as the simple fact that a longer password will be harder to crack than a shorter one. Some password advice is so-so, such as encouraging the use of special characters. A wider range of characters will increase the computational burden for a hack that relies on brute force, but what about the security risks when people need to keep a record of passwords that are impossible to remember, or are forced to follow insecure procedures to replace forgotten passwords? There is bad advice, like the advice to regularly change passwords. If you have a really strong password then keep using it. Regularly changing passwords makes complacency more likely, with the result that passwords become progressively weaker. But then there was the time in 2017 when Netflix gave the worst password advice ever.

The impact on revenues of password sharing was already a hot topic of discussion amongst risk professionals before this ill-judged comment. The subject was discussed by my own association, the Risk & Assurance Group, a full year before Netflix’s tweet. A 2019 study concluded a quarter of US consumers stream video from another household’s account. And there have been multiple cases of criminals making money by reselling passwords for streaming services; see here, here and here.

It may have taken them five years, but Netflix is now understanding why the sharing of passwords is harming their business. A few weeks ago they announced a new policy for Chile, Costa Rica and Peru which will encourage customers to pay for additional ‘sub-accounts’ when there is evidence that their Netflix services are watched by viewers at other addresses. This is described as a ‘test’ of ‘new features’. It would be more accurate to say Netflix is experimenting with how to deal with the blowback they will receive before they take any risks with the much larger revenues they generate in the USA.

Internet businesses go through a typical growth pattern where priorities and attitudes change over time. Little attention is given to the abuse of services when the business is first being established and the most important goal is to add more customers. Fraud and crime may be subtly or not-so-subtly encouraged by marketeers in order to sweeten the appeal of an unfamiliar proposition. It is only later, when growth plateaus, that more emphasis is placed on implementing controls to enforce contracts. But if millions of passwords have already been shared, it will prove difficult to increase revenues by curtailing the abuse. The marketeer who carelessly decided to encourage the sharing of passwords in 2017 will be different to the person making difficult decisions in 2022 about whether some customers should be disconnected for repeated contract violations.

And no, this article is not a prank for April Fool’s Day. Somebody in Netflix really wrote that tweet in 2017. One day they will delete it, which is why I saved this screen grab.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email