Image: Twitter

White House Press Secretary and shouting ball of wax Sean Spicer has tweeted plenty of dumb things. (And who among us hasn’t?) This morning, though, he may have accidentally compromised the security of his Twitter account.


At 8:42am Spicer sent a string of nonsense out to the world: “n9y25ah7.” It’s not long enough to be the sort of cryptographic hash we’ve seen Julian Assange tweet out in the past—but it’s just about the right length to be a Twitter password. While the string of characters wouldn’t make for a terrible password, it does lack capital letters which suggests that this might be a pocket tweet.


And it’s not the first time he’s tweeted out nonsense that just happens to be eight characters in length, and then deleted it hastily. (The minimum password length on Twitter is six characters, by the way.)

A quick but important disclaimer: don’t try to access Sean Spicer’s Twitter. For starters, his staff has almost certainly changed the password by now. But more importantly, doing so is illegal under the Computer Fraud and Abuse Act (CFAA.) There are much better opportunities to end up in jail—like protesting, or covering protesters as a journalist.



It remains unclear whether Spicer really did tweet his password or just has a penchant for pocket-tweeting. Some have hypothesized that the random characters could have ended up on Spicer’s Twitter feed, because he was trying to log in using two-factor authentication and just screwed up. Since the tweet was deleted so quickly, it’s pretty safe to say that it was a mistake of some sort.


Or maybe these garbage tweets are just another attempt to send us journalists chasing after something audacious instead of the more impactful failings of the Trump administration. If these are indeed passwords, however, Spicer seems to be fitting right in with an administration which has reportedly shown a brazen disregard for operational security by using private email addresses. POTUS himself allegedly continues to tweet out threats to entire nations from an unsecured Android device.

As far as “hacking defense” goes, Spicer’s is among the worst.