Netflix’s Password-Sharing Crackdown Has a Silver Lining

Look, let’s be honest. Sharing passwords is as endemic to the Netflix experience as having your favorite show canceled two seasons in. So when the streaming service starts testing ways to curtail that practice, it understandably riles up the many, many people who have come to expect communal accounts as a matter of course. And yes, it is always annoying when a gravy train goes off the rails. But even if it’s not Netflix’s top priority here, you’re much better off keeping your password to yourself.

The limited test that Netflix introduced this week is basically a form of two-factor authentication, the kind you hopefully already have on most of your online accounts. Some users have begun to see the following prompt when settling in for a binge: “If you don’t live with the owner of this account, you need your own account to keep watching.” Below that, there’s an option to get a code emailed or texted to the account owner, which you can enter to continue watching. 

A source familiar with Netflix’s trial says that the company is still in the very early stages, and sees the effort as a way both to verify who’s using what accounts and to minimize the security issues inherent in unauthorized sharing. 

Yes, security issues. And while Netflix’s flirtation with a password-sharing crackdown is by no means altruistic—not that anyone has read the terms of service, but it does specify that your account “may not be shared with individuals beyond your household”—it’s also true that sharing user names and passwords with even your closest relations can have woesome consequences.

“There seems to be a misunderstanding that sharing passwords with known individuals is not dangerous,” says Jake Moore, a cybersecurity specialist at security firm ESET. “The truth is that we shouldn’t be sharing passwords, and adding multi-factor authentication will help this process remain better protected.”

OK, but why? What’s the actual harm if I pass along my password to a cousin or not-so-casual acquaintance? It can come in a few forms. The most basic is also the most innocuous: While you might share your log-in with just one friend, you can’t control how many people they then share it with, and how many people those people share it with, and on and on, like an old Faberge commercial. When WIRED senior writer Lily Hay Newman audited the Hulu account she herself was mooching off of a few years ago, she found more than 90 authorized devices

Admittedly, freeloaders primarily threaten the cohesiveness of your recommendations lists. It’s not the end of the world. They could also, though, steal whatever personal data your profile holds.

The much bigger issue is that the wider the password circle gets, the more risk you personally take on that your password will become compromised. And given how often people reuse passwords across multiple sites and services, that means your exposure could extend far beyond Netflix. 

“Because I shared my password with you, and you got hacked, that criminal now has my password,” says Steve Ragan, a researcher at internet infrastructure company Akamai. “And if I’ve used that password anywhere else on the internet, the criminal’s going to find it, and they’re going to have access to that, too. It spreads. It’s a compounding issue.”

The practice of throwing a bunch of purloined user names and passwords at various services to see what sticks is known as credential stuffing, and it’s hit the media industry particularly hard in recent years. Between January 2018 and December 2019, credential stuffing attacks targeting video services doubled, according to Akamai research. The media industry as a whole saw 18 billion attempts over that same stretch. When Disney+ launched, thousands of accounts immediately popped up on dark web markets as hackers sniffed out the password-reusers. “Short term, what this is going to stop is the bulk sale of credentials of this type,” says Ragan.