In the last week or so, several high-profile social networking accounts have been hijacked by hackers, including those belonging to Katy Perry, Mark Zuckerberg and Keith Richards.
And even though control of all these accounts was quickly restored back to their owners, it was still a very embarrassing experience for the celebs: Katy Perry’s 89 million followers had to endure a tirade of racists words and insults, while the official Tenacious D Twitter account, also hacked over the weekend, incorrectly tweeted member Jack Black had died, seriously freaking out his fans.
The string of high-profile account hijacks appears to be connected to a recent LinkedIn password dump, where up to 117 million usernames and passwords, dating from 2012, were stolen.
Right now, you’re probably wondering these two things:
How can this happen to someone like Mark Zuckerberg?
If this can happen to someone like him, is it even possible to prevent it?
If we believe the hackers, Zuckerberg’s password was “dadada”
The first question is a little tougher to answer, because we don’t know exactly what happened. Mashable has contacted Facebook regarding the alleged hack, but a spokesperson merely assured us that “No Facebook systems or accounts were accessed. The affected accounts have been re-secured using best practices.” Of course, Twitter, Pinterest and LinkedIn don’t fall under this category, and Facebook refused to comment on Zuckerberg’s personal accounts.
But if we choose to believe the hackers, who posted on Twitter (in a now-deleted tweet) that Zuckerberg’s password was “dadada” and that it was found among the LinkedIn passwords, then the Facebook CEO has been very careless about online security. It can happen to all of us, and frankly, Zuckerberg hasn’t used these accounts in years. But when you’re the head of a multibillion-dollar company and the world’s leading social network, it just hurts a little more.
On the second question, the answer is: You can do quite a bit, but taking one security precaution and neglecting others could make you very vulnerable to hackers. I’ll explain that as we go along.
Choosing a good password
By now, most internet users are aware that choosing a strong password is important. What, exactly, constitutes a strong password has changed quite a bit over the years: A decade ago, “34xyf4ds” was considered to be a solid password; now, a hacker armed with little more than a lowly laptop can slice through passwords such as this one like a knife through butter.
Today, a good password should be at least 12 characters long, preferably longer. It should contain numerals as well as lowercase and uppercase letters. It should not contain easily guessable personal information; if you’re called Michael and are born on September 12, 1967, then “Michael-09121967” is not a good password. In fact, even though you can create a solid password by stringing together common words, as explained in this XKCD comic, I’d recommend making it far more random (and experts agree).
Never use the same password twice
Now that you’ve chosen a crazy-good password, you’re safe, right? Wrong. If you’re using the same password on multiple sites, you could still be in trouble. If only one of those sites get compromised — as LinkedIn did, when someone stole more than a hundred million usernames and passwords in 2012 — a hacker could try out your email address and the same password on other online services.
Sometimes, if a site has very shoddy security, hackers might obtain your password in plain text. Most often, the passwords will be encrypted or hashed, so the hacker will have to crack the passwords, which is where choosing a good password comes into play. But hackers today have access to very powerful computers and some smart cracking algorithms, meaning that — with time — even very strong passwords can get cracked.
The best way to avoid this is to have a separate password for every online service you use, especially those important to you (Facebook, Twitter) or ones that can actually cost you money (PayPal, eBay).
Remember, if the person who took control of Zuckerberg’s Twitter is telling the truth, Zuckerberg broke both these rules: He had a pitifully weak password (“dadada”) and he used it on several sites, including Twitter, Pinterest and LinkedIn.
Use a password manager
This is where things get problematic for most users. After a while, remembering strong passwords becomes a chore, or even impossible. This is where password managers, such as LastPass or Dashlane, come into play. These services “store” all your passwords, often automatically filling out your online credentials, but you can only unlock them with a master password, so that’s the one password you really need to remember.
A caveat to this method is the fact that if your master password gets stolen, you’re in trouble, as a hacker can gain access to all your passwords. This is why you must choose a very strong master password, never store it on your computer and never share it with anyone.
Note that even password managers are prone to vulnerabilities. You might choose not to use one and just keep your passwords in your head, or offline, on a piece of paper in a safe. That’s perfectly fine, just don’t lose the piece of paper.
Use two-factor authentication
Even if you’re really careful, mistakes will happen. An ancient service you forgot you’ve ever used could get compromised, come back and bite you from behind. Or you could connect to the wrong Wi-Fi network and become a victim of a stalker-hacker stealing every bit of info you sent out from your computer. (By the way, don’t connect to Wi-Fi you don’t trust. Ever.)
Even if you’re really careful, mistakes will happen.
This is why it’s advisable to use an additional layer of protection, usually in the form of two-factor authentication. This method combines something you know (your password) with something you have (your phone), making sure that even if someone learns your password, they still can’t access your services without physically having control of your phone.
Today two-factor authentication is supported by many online services (though not all), including Gmail, Facebook, Twitter, Instagram, Amazon, Slack and others. Usually, it works as follows: You set it up by adding your phone number. Then, when you log in from a new device or location, you’ll receive an additional code on your phone, without which your password would be useless.
Even if you do everything right, you could still fall victim to a hacker attack, or lose control of one of your online accounts. But by following the steps described above, you’ll make it orders of magnitude less likely. And even if one of your accounts gets compromised, the damage won’t spill into other areas of your online life.