June is National Internet Safety Month in the United States, and we're celebrating by revisiting some of the foundations of Internet and digital security. To kick things off, let's talk about passwords.
By now you've probably seen the news that Facebook's Chief Executive Mark Zuckerberg was caught using “dadada” as a password to his social accounts. This password was among more than 100 million that showed up in a LinkedIn database that was compromised in 2012. Hackers then used these exposed LinkedIn credentials to attempt to access other accounts associated with the known data of the users. Unfortunately for Zuckerberg, hackers were able to take control of his Twitter and Pinterest accounts, because he had used the same credentials for all of them.
Zuckerberg fell short of more than one basic security standard: he used a simple password, and he used it more than once.
The strength of a password is based on three basic functions:
- Length: use sentences rather than words for a stronger password
- Complexity: for greater complexity, use a combination of uppercase letters, lower case letters, numbers, and special characters. This makes it more difficult to guess your exact password, even if an attacker knows what word or phrase you are using as the password.
- Unpredictability: you want to be as unpredictable as possible. This means avoiding the use of your name, birthday, simple patterns, or dictionary words. See this site for a list of the most predictable and common passwords to avoid.
Make it unique
Regardless of how weak Zuckerberg's LinkedIn password was, the hackers could not have compromised his other accounts if he hadn't used that password in more than one place. The concept is simple: if one of your password-protected accounts is compromised, the rest of your accounts are safe because they are protected by different passwords.
Because people like things to be easy, they often use the same password for everything. When they have an account that requires a stronger password, they often just add numbers or special characters to the end of the password they use for everything else. If someone uses the same password for personal and professional accounts, even that person's corporate network could be at risk. For example, the exposed LinkedIn database contains millions of professional email addresses. If the LinkedIn password matches up with the professional email address on a corporate domain, the entire company can be exposed. Obviously this would have a much more severe impact than just the hassle of a single hacked account.
For the greatest safety, use unique accounts for all of the following:
- Your email account
- Online bank account
- Online credit card account
- Other financial accounts
- Your social media accounts
- Any account that stores personal data such as your home address
- Any account that could post information in your name
Keeping track of it all
When you start to create strong and unique passwords, it gets difficult to keep track of everything. There are plenty of password managers out there to help. If you're looking for ideas and reviews, you can check out these Wired and PC World articles from earlier this year. I recommend taking a look at KeePass, which works great for my needs.
Revisit your accounts and your passwords. Create unique passwords for each site. Add complexity and length, and find a way to keep everything simple and organized. The more difficult it is to access your passwords when you need them, the less likely you are to maintain password discipline.