Hacked online accounts have been old news for some time, considering the ongoing breaches that compromise millions of accounts on a regular basis. But when someone like Facebook CEO Mark Zuckerberg gets hacked because of poor cybersecurity hygiene, it calls for some head scratching.
This is a good time for a refresher on best practices for password security — so that you don’t become the next Zuckerberg case. Even without the notoriety attached to a famous personality, having your accounts compromised can have much more serious consequences than a defaced social media page.
Hacking 101: how account credentials get compromised
According to Verizon’s 2016 Data Breach Investigations Report, “63 percent of confirmed data breaches involved weak, default or stolen passwords.” The dark web is awash with stolen account passwords. Millions of credentials have been compromised in recent years after breaches of big databases like Evernote (50 million compromised accounts) and Adobe (at least 38 million accounts). Two years ago, a security company discovered that a Russian crime ring alone had collected 1.2 billion user name and password combinations, along with hundreds of millions of email addresses and other data.
The same company behind that discovery, Hold Security, recently found that a Russian hacker touted access to 1.17 billion login records — and that among those records, tens of millions logins were for Google, Microsoft and Yahoo email accounts. This particular hacker was willing to sell the entire mother lode for $1.
While those kinds of bargains may be less common on the black market, stolen credentials are not. And the bad actors know that the average person is a creature of habit, using the same passwords for years — which is why those credentials are still valuable long after being stolen.
The recent LinkedIn announcement is the perfect example. The company recently confirmed that account information that’s currently floating on the black market — impacting 117 million of its users — was stolen during LinkedIn’s breach way back in 2012.
Which brings us back to the Zuckerberg incident. His Twitter and Pinterest accounts were hacked because he’s been reusing his passwords — and the group that took responsibility for hacking his accounts claimed the LinkedIn credentials leak was their way in.
Since many users have dozens of online accounts and reuse passwords repeatedly, there’s no mystery in how credentials get compromised. But the worst part is that it’s common for people to reuse their personal passwords for their work accounts — putting their employers at risk.
One major issue that cybersecurity practitioners face is that many of their data-breach prevention tools are designed to detect incidents like network breaches. By using stolen credentials, bad actors can fly under the radar because they can mimic “insider” behavior patterns for a long time before raising red flags, and their activity won’t trigger any initial intrusion alarms since they’re using someone’s real user name and password. It’s basically the equivalent of thieves stealing your car keys and easily driving away with the car, rather than trying to pick the lock.
Stolen passwords have become such a concern for organizations that some are even limiting login access to whitelisted IP addresses — taking advantage of built-in capabilities of cloud providers like Salesforce. It’s a smart practice because it keeps hackers from using stolen passwords. Well-publicized breaches like those at Anthem and Office of Financial Management are great examples of the type of havoc that compromised credentials can wreak.
Password Security 101: don’t be a “Zuck”
In its “How to Keep Your Account Secure” section, Facebook advises, “Don’t use a password that you use on other sites — if one site gets hacked and your password is stolen, hackers will often try it on other sites.” It’s sage advice and one of the best ways to avoid risk to your other accounts, whether you’re the CEO of a multibillion-dollar company or not.
Facebook has one other piece of advice that its CEO ignored: Create passwords that are memorable but unique. Zuckerberg’s password was certainly memorable … wait for it … “dadada.” But it’s not that far off from the other top “memorable” passwords users love — like the ubiquitous “123456,” “password” and “abc123” or the more “creative” but just as popular “princess,” “solo” and “dragon.”
Don’t think that adding capital letters or substituting digits for letters — like 2 instead of “to” or 0 instead of o — gets you off the hook. Hackers are just as clever and well-versed in trying out variations. And just like security professionals use tools to automate certain functions, hackers can use automation to run through multiple variations if their goal is to authenticate credentials.
The good news is that you can create passwords that are both strong and easy to remember. Here are some other techniques to use, besides using unique passwords and changing them across accounts:
- There’s strength in “characters” — Your password should be at least 12 characters long for accounts that have sensitive information, like your bank logins, and at least eight characters for everything else.
- Mix it up — Numbers, capital letters and symbols should all be included. Some logins don’t allow special characters like symbols; for all other cases, including at least one of each category exponentially increases the password strength.
- Ignore Webster’s — Never use words that can be found in the dictionary, including compound combinations of multiple words. Also avoid using names of people close to you such as your family name or your kids’ names.
- Avoid patterns — It’s tempting to fall back on common patterns because it’s easy, but hackers know those too. The three most commonly used are: one upper case letter followed by five lower case and three digits, one upper case with six lower case letters and two digits, and one upper case with three lower case letters and five digits. Try a different combination.
- Store selectively — Never store passwords in unsecure, unencrypted cloud accounts, or in spreadsheets or documents that can be easily accessed on your computer. Use a secure and reputable password manager.
- Opt for two-factor — When the two-factor authentication option is available for login, always use it. This is the simplest way of adding extra protection to your account because chances for hackers of having your mobile phone are remote, and without the authentication code, they will not be able to login.
- Favorite lyrics — If you are still having trouble thinking of an easy-to-remember but impossible-to-guess password, think of the lyrics of your favorite song. As an example, if the song is “Hey Jude” from the Beatles (“Hey Jude, don’t make it bad, take a sad song and make it better”) take the first letter of each word and turn it into a password: Hj,DmIb,TaSsamib.
Sekhar Sarukkai is a co-founder and the chief scientist at Skyhigh Networks, driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security and cloud services development.