When Netflix Shared the Worst Password Advice Ever

The proliferation of internet-based services now means a lot of people offer advice about passwords. Some of it is good, such as the simple fact that a longer password will be harder to crack than a shorter one. Some password advice is so-so, such as encouraging the use of special characters. A wider range of characters will increase the computational burden for a hack that relies on brute force, but what about the security risks when people need to keep a record of passwords that are impossible to remember, or are forced to follow insecure procedures to replace forgotten passwords? There is bad advice, like the advice to regularly change passwords. If you have a really strong password then keep using it. Regularly changing passwords makes complacency more likely, with the result that passwords become progressively weaker. But then there was the time in 2017 when Netflix gave the worst password advice ever.

The impact on revenues of password sharing was already a hot topic of discussion amongst risk professionals before this ill-judged comment. The subject was discussed by my own association, the Risk & Assurance Group, a full year before Netflix’s tweet. A 2019 study concluded a quarter of US consumers stream video from another household’s account. And there have been multiple cases of criminals making money by reselling passwords for streaming services; see here, here and here.

It may have taken them five years, but Netflix is now understanding why the sharing of passwords is harming their business. A few weeks ago they announced a new policy for Chile, Costa Rica and Peru which will encourage customers to pay for additional ‘sub-accounts’ when there is evidence that their Netflix services are watched by viewers at other addresses. This is described as a ‘test’ of ‘new features’. It would be more accurate to say Netflix is experimenting with how to deal with the blowback they will receive before they take any risks with the much larger revenues they generate in the USA.

Internet businesses go through a typical growth pattern where priorities and attitudes change over time. Little attention is given to the abuse of services when the business is first being established and the most important goal is to add more customers. Fraud and crime may be subtly or not-so-subtly encouraged by marketeers in order to sweeten the appeal of an unfamiliar proposition. It is only later, when growth plateaus, that more emphasis is placed on implementing controls to enforce contracts. But if millions of passwords have already been shared, it will prove difficult to increase revenues by curtailing the abuse. The marketeer who carelessly decided to encourage the sharing of passwords in 2017 will be different to the person making difficult decisions in 2022 about whether some customers should be disconnected for repeated contract violations.

And no, this article is not a prank for April Fool’s Day. Somebody in Netflix really wrote that tweet in 2017. One day they will delete it, which is why I saved this screen grab.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.