The proliferation of internet-based services now means a lot of people offer advice about passwords. Some of it is good, such as the simple fact that a longer password will be harder to crack than a shorter one. Some password advice is so-so, such as encouraging the use of special characters. A wider range of characters will increase the computational burden for a hack that relies on brute force, but what about the security risks when people need to keep a record of passwords that are impossible to remember, or are forced to follow insecure procedures to replace forgotten passwords? There is bad advice, like the advice to regularly change passwords. If you have a really strong password then keep using it. Regularly changing passwords makes complacency more likely, with the result that passwords become progressively weaker. But then there was the time in 2017 when Netflix gave the worst password advice ever.
Love is sharing a password.
— Netflix (@netflix) March 10, 2017
The impact on revenues of password sharing was already a hot topic of discussion amongst risk professionals before this ill-judged comment. The subject was discussed by my own association, the Risk & Assurance Group, a full year before Netflix’s tweet. A 2019 study concluded a quarter of US consumers stream video from another household’s account. And there have been multiple cases of criminals making money by reselling passwords for streaming services; see here, here and here.
It may have taken them five years, but Netflix is now understanding why the sharing of passwords is harming their business. A few weeks ago they announced a new policy for Chile, Costa Rica and Peru which will encourage customers to pay for additional ‘sub-accounts’ when there is evidence that their Netflix services are watched by viewers at other addresses. This is described as a ‘test’ of ‘new features’. It would be more accurate to say Netflix is experimenting with how to deal with the blowback they will receive before they take any risks with the much larger revenues they generate in the USA.
Internet businesses go through a typical growth pattern where priorities and attitudes change over time. Little attention is given to the abuse of services when the business is first being established and the most important goal is to add more customers. Fraud and crime may be subtly or not-so-subtly encouraged by marketeers in order to sweeten the appeal of an unfamiliar proposition. It is only later, when growth plateaus, that more emphasis is placed on implementing controls to enforce contracts. But if millions of passwords have already been shared, it will prove difficult to increase revenues by curtailing the abuse. The marketeer who carelessly decided to encourage the sharing of passwords in 2017 will be different to the person making difficult decisions in 2022 about whether some customers should be disconnected for repeated contract violations.
And no, this article is not a prank for April Fool’s Day. Somebody in Netflix really wrote that tweet in 2017. One day they will delete it, which is why I saved this screen grab.