Mark Zuckerberg Gets a Lesson in Password Safety

So if you remember, about two weeks ago we told you about a huge string of mega breaches, that included passwords and login information from the databases of giants such as LinkedIn, Tumblr and potentially even Twitter (Twitter refuses to confirm or deny this information). The information from each dump was being sold on a dark web forum called “The Real Deal” by a grey hat hacker going by the name Peace in different bundles.

At the time we mentioned that anyone concerned about their passwords could check out if their passwords had been compromised by going to haveibeenpwned.com which contains all email addresses associated with some of the recent mega hacks. We (along with plenty of other experts) suggested that if you found your information there, to change your passwords everywhere asap – because it would be just a matter of time before whoever ended up buying the information would put it to use by cross referencing it with other common social media networks in order to access accounts.

Well, it seems that not everyone heeded our sage advice.

Um, hello, Mr Facebook, Mr Twitter???
Turns out that the very same guys who essentially built the world of social media as we know it today didn’t bother to check if they were included in the data dumps. Mark Zuckerberg, you know, possibly the most famous social media figure in the world and Twitter’s former CEO Dick Costolo (yeah, not quite as famous, sorry) both found their social media accounts hacked by the creeps who bought the information Peace had put up for sale.

The hackers, teens out of Saudi Arabia, going by the name of OurMine, hacked the Twitter and Pinterest accounts of both social media moguls by cross referencing the passwords they found in the dump – which means essentially, that both Zuck and Costolo were using the same passwords for their Pinterest accounts, their Twitter accounts and whatever account (let’s assume it was LinkedIn) that was garnered via the data dump. In case you were wondering, Zuckerberg’s password of choice was “dadada”, because you know, he is a dad. How sweet!

Attention Mr’s Zuckerberg and Costolo, may we introduce you to this thing called the internet? It’s this big and shady place with lots of people who love to steal information, the more high profile the information the better. So your best bet is to use complex, UNIQUE passwords for all of your different accounts, ya hear?

Same stuff, different day
It reminds us of last June’s hack of the infamous Hacking Team, suppliers of surveillance software for governments worldwide. Their top-secret database was hacked because they were using passwords like “p4ssword” and “passw0rd”. Talk about not thinking out of the box. When they were hacked, social media had a field day with their lack of password prowess but it seems that people still have not taken the message to heart – create better passwords, people! Your security depends on it!

Sure, it’s not so simple to create solid, yet easy to remember passwords, and this is why people continue to use ones that are terrible. But it doesn’t have to be that way. There are some tried and true ways to create secure passwords that won’t leave you locked out of your accounts because you forgot them – again. We have mentioned some of them before but clearly it’s time for a refresher course in Password Safety 101.

Some tips to create better passwords

Passwords safety basics:
There are a few elements that are the ABC’s and 123’s of good passwords. No matter how you choose to store your passwords or whatever elements you want to include, let the following tips be your basic blueprint – once you have the basic requirements down, feel free to play around.

  • Make sure you use different passwords for each and every account.
  • Make each one at least 8 characters long, but the longer the better.
  • Use a combination of letters (uppercase and lowercase) numbers, symbols and special characters.
  • Do not use words found in the dictionary (unless you plan on using the diceware method, see below).
  • Do not use any personal information.

Now that you know the basics….
So now you can start to build really solid passwords. Here are some more advanced yet really important methods you can use to take your passwords up another few levels.

The memorable sentence method
Take a sentence you’ll definitely remember and turn it into a password – something like “It was the best of times, it was the worst of times. I really can’t believe they paid that guy by the word” could become:

iwtboT:*)iwtWot:(-irCbtpTGbtWd.

Let’s try another one:

The sun will come out tomorrow bet your bottom dollar that tomorrow there will be sun” from the musical “Annie” could easily become:

tSwc02m:*)Byb$tTtWbS2mX2m

Got it now? Great. Here’s another idea.

Take one master word or phrase like “Cream cheese and french fries for dinner” and insert unique elements for each login you have:

So your Facebook login would be: cFre@m-che-Aese&fr3nchfrCies4din*n3rB

Now for LinkedIn: cLre@m-che-Iese&fr3NchfrKies4INdin*nEr$.

Make sure to change up certain elements to the master base password for each iteration.

Entropy and Diceware
The real truth though is that even these methods are lacking a bit -They are missing the element of entropy, or randomness. See, hackers and the programs they use to hack passwords know that humans are wired to create passwords based on patterns even if we aren’t aware of it – Our brains tend to follow grammar and natural language rules no matter how hard we try to shake them. That’s why it’s super important to make sure to introduce unique elements each time you make a password using one of the above methods, or skip them all together

For a truly random password you can use the Diceware method, which is said to be one of the most fool-proof ways to create unique, random passwords. The way it works is by rolling five or six 6-sided dice a bunch of times and matching the result of each roll to a word on a master list of 7776 English words. These words then become your passphrase -though it might seem odd to use words when just about everyone says to never use words found in the dictionary,  the randomness factor is absolutely huge – how big? Well if your password is made up of 5 rolls that will introduce 14 quadrillion (!) new elements of entropy to your passwords.  This will actually yield TRULY unique and random passwords that our little brains could never think up on their own.

Our preferred method
On a personal level, we think all of these methods are a bit complicated once you take into account that you need to not only create these hard-to-crack passwords, but remember them or store them somewhere as well. On the other hand, if you are meticulous and write each one down on a non-digital list (with a pen and paper, gasp!) and hide that list very well, (you can put in in your toiletries cabinet with your toothpaste and hand soap – no password thief will ever look there) these methods, especially the Diceware method, can be used to make complex, unguessable passwords.

Here at RCS we prefer to use password managers. They create truly random passwords and will store them and enter them on each login you have. You do need to create one uncrackable password on your own to lock your password vault where all your passwords and login info will be stored – so you could use the Diceware method here to ensure your vault is super-secure.

Keep in mind that although it wouldn’t be worth a hacker’s time and effort, even the absolute strongest, most-fool proof password can be hacked. So as always, you should enable two factor authentication (also called 2FA or multi factor authentication). There are lots of great resources to learn about it’s importance and find out how to set it up.

Nice going! Now you know more about password safety than the guys from Facebook and Twitter – How ‘bout that? Now go share your newfound knowledge with all your friends who think passwords like “passW0rdtwitter” and “1luvmyd0g” are secure and re-educate them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s