Mark Zuckerberg and I have at least one thing in common: We’ve both been hacked thanks to bad password security. Sure, he’s a Silicon Valley tycoon and I’m a tech writer, but we both made it possible for someone to break into our social media accounts by using the same password more than once. He used “dadada” on his Twitter and Pinterest, while I used “b1rthd4yg1rl,” well, 671 times.
The most frustrating part is that all of this could have been avoided.
After all, it’s not difficult to protect yourself online: create unique, tough-to-guess passwords for every account, change your passwords whenever a site gets hacked, and use two-factor authentication whenever possible. Also, don’t forget to use a password manager to generate, encrypt, store and update passwords for you. I used 1Password, an app that makes it possible to see which passwords I used for all my digital identities.
But it’s not enough only to know all the best practices. You also have to follow them.
I learned the hard way last week. When I logged into Skype for the first time in a month, I discovered that my account sent out hundreds of links to a celebrity weight-loss solution. Mr. Zuckerberg had the same bad luck after his password was one of the more than 100 million made public as part of the data dump of LinkedIn usernames and passwords stolen as part of a 2012 breach.
So what do you do when you get the wake-up call of an actual security breach, and realize it’s time to clean up your act? Here are the steps I followed.
1. Figure out the source of the leak, and the password associated with that account.
It’s still not clear how the attackers broke into my account. But that leaked LinkedIn database included my credentials, and I have a feeling someone tried the same username and password on my Skype account. Open sesame.
Luckily, whoever busted into my Skype didn’t change the password. The problem is I used that password – I’ll call it “b1rthd4yg1rl,” in case there is hacker out there who doesn’t yet have the actual password – as a favorite “all purpose” password for accounts that didn’t include any sensitive information. Most of the places I used that password, I also used my primary email address as my login -- so anyone who had both my email address and that password now had access to hundreds of my accounts.
In fact, I could use my 1Password database to search for every account using b1rthd4yg1rl. The grand total? 671 potential breaches. Time to get to work.
2. Prioritize your vulnerabilities.
I knew I wouldn’t be able to change 671 passwords in a single evening, so I had to decide which accounts were the most important to protect. I printed the list and went through it with a highlighter, marking my top priorities based on whether they used the b1rthd4yg1rl password, or the email address associated with my Skype account.
I also made a note of the accounts that contained any kind of financial or personal information, like my Visa number, photos of my kids, or where I had any other personal information that might let a hacker get access to even more of my accounts.
3. Log in to each vulnerable account, and change your password.
This is the boring part. Using 1Password, I logged into each of my high-priority accounts, and then went hunting for the “change password” option. On some sites it was very hard to find the “change password” page, and on one site, I couldn’t find an option anywhere. I’m talking to you, Clippings.me.
If I were smart, or paranoid, I could have spent a week working my way through the list of all the sites where I’d used my stolen password. But I just don’t have that kind of time, so many of low-priority sites are still theoretically hackable. That’s right, hackers: you have open access to my account on LibraryThing — enjoy!
4. Generate and store new passwords in your password manager.
As I changed my passwords, I finally did what I should have always done: create a unique password for each site. I used 1Password’s password generator to create almost all of these passwords. In a couple of cases, I had to add special symbols because some websites require special characters in any password, and 1Password doesn’t automatically include them.
What I learned:
I should have started changing my passwords the minute LinkedIn’s hacked collection of passwords went on sale — or at least, before publishing a story about the hacker selling the credentials.
I’ll have to give the new site permission to access some of your social media activity but less accounts on fewer websites drastically reduces the chances I’ll be victimized again.
From now on I’m going to rely on my Facebook, Twitter or Gmail account to register for any site that gives me the option. This method, called OAuth, makes it possible for social media users to use their trusted accounts to automatically log-in to third-party websites. While I’ve already used OAuth for some site registrations, I’ve hesitated to connect a new site to my social media identity, out of concern for my privacy. Now I realize that the biggest threat to my privacy is actually having a password stolen, so the fewer passwords, the better.
When OAuth isn’t an option, I’m going to use a totally unique password on every site I visit. That’s going to mean using 1Password to formulate a long, random password for me. In other cases, I’m going to use long song lyrics, which are harder to guess than single words, that only I would associate with the site in question. Even then, I’m still storing those in 1Password.
This experience has made me more conscious of my security shortcomings and motivated to do better in the future. But it’s also reminded me why it’s so hard to follow the recommendations of security professionals. I knew what those recommendations were, but following good security practices can be inconvenient. It took actually being breached to make the hassle feel worthwhile.
It’s tempting to want to shake our fingers at people who fail to take basic security measures online. But we should also recognize there’s a need to make those measures easier. Even Mark Zuckerberg would probably agree.