Poor Password Management Can Bite Anyone, Ask Mark Zuckerberg4 min read
Mark Zuckerberg, the CEO of the largest and most popular website in the world, had his own (Non-Facebook) social network accounts hacked. Not uncommon for a thing like that to happen to someone but to the CEO of Facebook it’s pretty embarrassing. However, in the proper light and perspective this should be a catalyst to push security practices deeper into everyone’s personal lives. Mr. Zuckerberg’s account was hacked not from brute force Hollywood hacking style but by his own lazy security practices. Lazy is the softest word I could use. You’d think the number one social networking site’s CEO would know about social account security better than anyone… Whoopsie.
Mr. Zuckerberg’s Pinterest and Twitter accounts were compromised and defaced through the LinkedIn 2012 breach. Reading between the lines we can see clearly several lapses of security judgement used or not used by Mr. Zuckerberg. These lapses are the same bad practices we all have done and still do. It’s only a matter of time when we are all victim of one of these breaches but there are few simple steps to take to ensure any damage is limited to the breached site and not across all your accounts.
In Zuckerberg’s case his LinkedIn account information was included in the password dump. All someone did was look up that account then try to use the same password on other sites. This is a basic technique to expose poor user security and to gain access to other sites with minimal effort. In his case he used the password for his LinkedIn account on other sites. For a user it makes account management easier by knowing your password on multiple sites. This practice is also very dangerous because all it takes is one of those sites to get compromised and indirectly all your accounts are compromised at the same time.
Second bad practice we can see through this scenario is password life cycle management. Zuckerberg never changed his passwords on a regular basis. The LinkedIn breach was in 2012. His other sites were compromised in June 2016. Four years, probably longer, and he never changed his passwords on any of his accounts. Your company requires you to change your password on a regular interval you should take the same care for your own personal accounts as well.
On a side note this particular aspect of password management, regular resets, I put on the websites as well. In the balance of user experience and convenience most sites have no forced reset policies in place. This would have limited the exposure window from years to months.
Lastly is password composition. Zuckerberg’s password of choice was ‘dadada’. When you are talking about password complexity, his was not. I put ‘daddy’ into howsecureismypassword.net and it came back that it could be cracked INSTANTLY.
What are the simple things he and you can do to prevent this from happening? There are really two simple things you can do right now that would have prevented a hack like this from happening.
- Use a password manager – Complex passwords and stop password reuse
- A tool to manage all your online accounts usernames and passwords. Keep them in order, report when you reuse a password on two sites and most importantly a tool that will generate complex passwords for you. Instead of password1234 or a variation it will use $#@4j!fg&!txz. The beauty thing is you don’t need to remember that, the tool(s) will auto log you into the web sites for you. Even better most will auto-change your password on an interval. There are lots of options out there but I prefer LastPass. LastPass has a free version which works just fine but the pro version is very cheap and offers everything you need and more to secure your personal accounts.
- Enable Two-Factor Authentication
- Most major sites now have rolled out multi factor authentication. A simple second step to login to your accounts. If you password is ever compromised the second factor will still be required to login. Sure, two factor adds a few seconds to a login process but it greatly increases your security. At login most sites can send you a text with a 6 digit number, you enter that and login. Simple and effective.
- If you stop using a website, delete your account
- This tim requires a little more personal effort but should be part of your security practice. Like apps on your phone, you have signed up for website, used it a few times and forgot about it. In Zuckerberg’s case he didn’t use his Twitter account for years but the account remain stagnant. Go through your emails, when you get spam make sure you didn’t have an account on there. If you did, reset the password if your forgot and take the time to delete your account. The lass places your stagnant information is in the better.
Remember, websites do not have your personal security in their best interest. They are running a business. Your personal security is your personal responsibility. You can’t even be sure websites are storing your information properly in the first place. Never use the same password across multiple sites otherwise you are tying your digital footprint together and it takes on weak link to open all those doors from poor password decisions and practices.
It’s not a question of if but when you get hacked. Do what you can to reduce that.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter