For those of you who haven’t heard yet, none other than Facebook’s Mark Zuckerberg was hacked. Even thoughLinkedIn tried to play down a breach of their platform that resulted in 117 million of their users information being for sale, it was exactly that breach that led to Zuck’s password becoming compromised. And it should be clear to all that any breach on a company where you have an account can leave you exposed.
So what happened? It seems that Mark used the same password across different accounts. For those of us in the infosec industry, we know that’s a big no no. And yet, many still do it, for who has the wherewithal to remember an ever increasing number of passwords?
Hackers from OurMine team claim they found his account credentials in the LinkedIn data breach, from which they took his SHA1-hashed password string and then broke it and tried on several social media accounts.
Even worse, his Linkedin Password is reported to have been “dadada,” barely better than 12345.
Poor Zuck, you’d expect he’d know better. A huge success in tech, and a central target, and that’s the best he could do?
Though the sad truth is most people do reuse passwords, and there’s not much anyone can do about it. But if you’re going to partake in this risky behavior (against all recommendations), you should at least approach it in a methodical way that can help reduce risk. The key being, only reuse passwords on accounts that also use two-factor authentication (typically e-mail and social networks). We’ll detail this below.
The following are some basic guidelines that Mark can use to protect himself, and you can use too.
Use Passphrases as your passwords: Think of lyrics to your favorite song, capitalize a letter and replace one or two with a number or character. Longer passwords take longer to decipher when running them against a list of known password hashes to discover them, as happened to Mark. You could try something like Mybolognehasa1stname*. It’s easy to remember, and long.
Compartmentalize passwords: If you’re going to reuse passwords, then at least compartmentalize them, meaning use one password for each category of accounts. If someone gets a hold of the password, then it may put all accounts in that category at risk, but at least it’s ONLY that category. It’s not a perfect system, but it’s better than one password for all. You should do this by level of importance, as follows:
- Generic forum accounts: Ever have to register to a message board to get an answer to a technical question? You can use the same e-mail and password combination when registering for different forums. Be sure you don’t provide any actual personal information. You can use simple passwords for these accounts, and if they get hacked, its no big deal.
- Email accounts: These are very important accounts. These may be used as your verification of identification for resetting passwords or gaining access to bank and other accounts. Use a passphrase or a very strong password, and enable two-factor authentication.
- Social Media Accounts: Social media accounts are an extension of our identify, both our personal and professional face, and its important you protect them. Again, you should use passphrases or very a strong password, and enable two factor authentication.
- Bank and Financial Accounts: These are most critical. And as hard as it may be, each account should have a unique, strong password. If you have multiple financial accounts (bank account, brokerage account, credit card account), you do not want to risk someone only needing one password to access them all.
Enable Two-factor Authentication: This is something offered by most email and social media accounts, for example, Facebook Login Approvals. You provide the account with your mobile phone number, and the first time you log in from any new device, it sends your phone a code which you have to enter to access the account. This reduces a hacker’s ability by a huge degree to access your account, even if they have your password.
Create an “anonymous” email account. Register for a free additional Gmail or Hotmail account. Only use it for registering for websites you don’t care much about and don’t feel the need to be properly identified. So if we use the example from above of registering for a message board or forum, you can do so using this email account, and reuse it. And if it gets hacked, no big deal.
Use a password manager: For those who can’t be bothered with constantly creating new passwords, a password manager is both a secure place to store your passwords, and can automatically (and easily) generate new, secure ones when needed. Instead of having to remember and enter your password every time, the password manager does it for you. Look into password managers like KeePass. It may seem a little complicated, but once you get used to it, it’s not so bad.
Don’t save your passwords on documents on your computer. One hack, and they’re all gone!
A Note on Biometrics
Currently biometrics are no different than anything else in the digital world. Once a device records your biometric information whether its points on your face, you fingerprints, or voice, it converts them to a digital file and saves this file to a database.
Then when you use them to log in, your voice is compared to the digital file. The problem, once digitized, your biometric information can be hacked just like a password. And while passwords can be reset, your biometric information cannot. Once compromised, its gone forever as a dependable form of verification, and there’s nothing you can do about it. I’d recommend not using biometric verification. Don’t provide your biometric data to anyone if you can avoid it.
The Time to Protect yourself and Organization is Now
Sadly, the world is still stuck with passwords, and any of the countless solutions that have been developed up until now (including biometrics) just aren’t sufficient to be a replacement. But using the methods above can help avoid your credentials from being stolen, make reuse by hackers harder, and subsequently protect your accounts.
From what we can see in the latest Verizon Data Breach Investigation Report (DBIR), hackers are going after our usernames and passwords, and looking to use them in account takeover attacks.
According to Security Affairs, employees often use their work e-mail and passwords on sites outside of their work, resulting in some cases in these credentials ending up for sale on the dark web. So if you’re an enterprise, your employees could very possibly be putting your organization at risk. What can you do about it? Well to start with, implement an insider threat protection solution like Imperva CounterBreach. Imperva CounterBreach can identify when a user’s behavior patterns change, which is a strong indication that their credentials have been compromised. This is the case with compromised insiders.
So don’t be a victim. Good password practices are critical in preventing you from having to do damage control and taking back your accounts after they’ve been hacked. If you’re an individual, (and yes, even Mark Zuckerberg), you need good policies to manage your passwords. If you’re an organization, you need a good solution to identify when your employees credentials have been obtained by hackers. The time to protect yourself is now!