Facebook CEO Mark Zuckerberg's Pinterest and Twitter accounts were hacked on Sunday. While we let that statement sink in, the reason why the hackers managed to gain access to the accounts was because the password Zuckerberg had assigned to the accounts was "dadada."
Hacker group OurMine claimed responsibility, VentureBeat reported, and a quick check on password strength-checking tool reveals "dadada" is worse than "password" and "123456". Fortunately, access to Zuckerberg's accounts was regained and the passwords, we assume, changed to something more complex.
So what can one do avoid meeting a fate similar to Zuckerberg's? Here are a few tips:
For starters, Zuckerberg's password was two letters used thrice. A more secure password uses a mix of upper- and lower-case characters, numbers and special characters like "!" and "#". While your vehicle's registration number with a few special characters tossed in makes for the perfect password, it's also advisable that passwords don't come from one's personal life. This also excludes user IDs and phone numbers. Who knows where one's enemy might lurk? Does one really want a jilted lover seeking revenge to break into their accounts?
Zuckerberg's second big- mistake was to use the same password in two places. "Once a hacker has cracked a password for one of your accounts, they'll try to use it to gain access to all your accounts. This is why it's important to create a unique password for each account," Ritesh Chopra, Country Manager, India, Norton by Symantec, told International Business Times, India.
While creating unique, secure passwords may be a rather challenging task, especially if one has access to nuclear launch codes, or more realistically to the company bank account, a random password generator will always come to the rescue. Just remember to make sure that the password is at least eight characters long (the longer the better) and looks something like "@wx4EG!_". While these are technically secure, one would need to be Rain Man to remember the password at first glance, so creating interesting mnemonics usually helps. We see "@wx4EG!_" as "at west cross for example, the exclamation was underscored". When you commit this to memory, it also helps to shout out the word "example" to emphasise the capitals [shout them out in your head. — Ed].
In a lot of cases, users themselves have handed their passwords to hackers. Social engineering is when hackers manipulate users to give them what they want. Pretending to be tech support, hackers get in touch with users and get them to share passwords and user ids. The Infosec Institute believes social engineering is among the most successful tactics used by hackers as "victims innately want to trust other people and are naturally helpful". It's why banks always advise customers to never share PINs and credit card details with even their own employees, and it's exactly why one should share their Facebook account details even if Mark Zuckerberg sends you an email promising you a share of the $71 million he got from a Nigerian prince's inheritance.
While we can tell you not to use the same password everywhere till the cows come home, at the end of the day, with so many accounts online requiring so many different passwords, it's not going to be easy to come up with a new mnemonic for a secure password every time. This is where a password manager comes in. Password managers store and in some cases automatically enter stored passwords for users. The only hitch is password managers require the use of a master password, and if that's easy to crack, then God be with you.
Chopra, from Norton, told IBTimes India he also advocates the use of two-factor authentication. "It adds an extra layer of security to your account by requiring you to enter your password, plus a code that you will receive on your mobile device via text message, or a token generator to log into the site. This may add complexity to the login process, but it significantly improves the security of your account. If nothing else, use this for your most important accounts," Chopra said.