Seriously? He chose “dadada” as his password? That was the Fortune tech team’s reaction to a security lapse in which hackers broke into social media accounts belonging to Facebook (FB) CEO Mark Zuckerberg.
The breach, which surfaced over the weekend, came about because Zuckerberg used the same password to log in to different websites. Thus, when his password turned up on alongside millions of others in that massive LinkedIn (LNKD) breach, the hackers simply tried plugging “dadada” into Zuck’s Twitter (TWTR) and Pinterest accounts—and, voila, they were in.
The damage wasn’t serious. All the intruders did was to deface the accounts by posting a chortling message that said “hacked” next to Zuckerberg’s profile picture. And in any case, the hackers didn’t really hit an important account since Zuckerberg hasn’t tweeted in years and it looks like he never got that into Pinterest.
Still, it was startling that Zuckerberg had been so careless. Not only did the tech titan choose a relatively simple password, he had also failed to turn on “two-factor authentication”—a tool, which is becoming evermore mainstream, that requires a user to enter a text message code if they log in from a new device. (Both Pinterest and Twitter support two-factor authentication and, if Zuckerberg, had activated it, the hackers would not have been able to get into the accounts even with his password).
Our first reaction was thus a sort of smugness: The head of Facebook, a company respected for its security, should have been using a long complicated password with lots of special “&$*#” characters. He should have had a different password for every account. And he should have bolted on the extra verification feature.
Instead, he signed on to social media the same way the rest of us mortals do.
Tech baron or not, Zuckerberg is human just like the rest of us. And humans find practicing perfect security practices across dozens of online accounts a giant pain in the neck, so almost none of us do it.
Sure, it may be a good idea to use a password manager like OnePass or DashLane. And you should definitely turn on two-factor authentication for the accounts you use the most, especially as it’s not hard to set up or use.
Get Data Sheet, Fortune’s technology newsletter.
But that still won’t be enough to achieve perfect security. One reason is that, as Fortune writer David Meyer pointed out in regard to the LinkedIn breach, many of us can’t even remember all the accounts we’ve signed up for over the years.
In the bigger picture, the current password mess will only be solved when we move away from passwords altogether and being to rely instead on biometric forms of authentication. But until that happens, Zuckerberg and the rest of us will keep slipping up and relying on phrases like “dadada” to protect ourselves.
