If you needed another reminder that you shouldn’t use the same password on multiple online sites, yesterday’s news about the hacking of Mark Zuckerberg’s Twitter and Pinterest accounts is your teachable moment. Mr. Z. was apparently as guilty as the rest of us in password laxness.
From what we know, the hackers worked from a list of cracked accounts that came from a 2012 breach at Linkedin. While an initial round of over six million passwords has been available for some time, it’s now believed that the number of cracked passwords might be as high 167 million. Based on the messages left by the hackers on his Twitter timeline, Mark’s password may have been on that new list.
Get the Free Pen Testing Active Directory Environments EBook
Sure, “if it happens to the best of us, it happens to the rest of us”, is one take away. However, we can all do a better job in managing our passwords.
Am I Already a Victim?
Last week, I received an email from Linkedin saying my account was part of the new batch of cracked passwords. I changed my password, and I had already been pretty good (not perfect) about using several different passwords for the online accounts that I care about. But I now needed to revisit some of them as well.
1. Go to this site now and enter the email addresses that you most commonly use in setting up accounts. You’ll discover whether your password is known to hackers.
There’s a service that will tell if you have an account on a site that’s been hacked and the passwords doxed. It’s called have I been pwned?
Besides informing me that Linkedin was one of my breached accounts, the ‘have I been pwned?’ service also alerted me that another account of mine had been compromised.
Yikes! Fortunately, it’s one of my web accounts where I’ve frequently change the password. So no problem.
You may not be so lucky. If this service tells you’ve been pwned, you’ll have to immediately go to the affected web site, along with other accounts that share that password and change them.
But on hold on a sec before you do that.
Turn on Two-Factor Authentication
You shouldn’t waste a crisis. It’s now a good time to turn on two-factor authentication (TFA) if it’s provided.
Linkedin does offer this feature. It works with your cell phone by sending an SMS text with a PIN. Or if you don’t use SMS, the service will call you instead.
So the next time you logon to Linkedin, you’ll be asked for your password (the first factor) and for the PIN (the second factor), which is sent to your cell phone.
2 .Before reading any more of this post, go to your Linkedin profile and turn on TFA – you’ll find the setting under Privacy & Settings>Privacy>Security.
The next time there’s a data exposure, you won’t have to worry (as much) about your account being hacked. The hackers will fail the second factor test.
Besides Linkedin, Google, Twitter, Dropbox, Facebook, and Paypal have this feature as well. A lifehacker article from 2013 list additional web sites with TFA.
Google and others — notably Twitter, Linkedin, and Facebook — also offer their TFA as a service. This allows sites that haven’t implemented strong authentication to hook into, say, Google Authenticator, for instant TFA. Going forward, for those sites that support these TFA services, you can in theory have secure centralized authentication.
3. It’s a good time now to consider using the authenticator feature of Google, Twitter, or Linkedin for all your accounts. As a first step, I would turn on TFA for your Google and Twitter accounts as well. It will also make these services more secure. Do it now!
Correct Battery Horse Staple and its Variants
The best way to stop the whole chain of events that forces you to change passwords on multiple account is to come with an uncrackable password in the first place.
The correct-horse-battery-staple method is one way to generate high-entropy passwords. You pick four random words out of the dictionary and use them as your password. This classic xkcd comic explains it nicely.
To remember the password, you devise a little story using the random words, thereby connecting the words together in your neurons. For example, “I showed the horse a battery with a staple on it, and the horse said correct”
Memory tricks where you connect stories to the actual words or ideas you want to recall are known as mnemonics.
I wrote about a variant of this technique where you make up a very simple one sentence story and use the first letter of each word as your password.
For example, here’s my one sentence story: “Bob the tiger ambled across the savannah at 12 o’clock last Tuesday”.
And the password that comes from this is: Bttaatsa12olT.
4. Now it’s your turn. Make up a memorable one sentence story that is long enough, at least 10 to 15 words, and try to use some punctuation and numbers. Take the first letters of those words and write it down once — just to see it. Throw away the paper. This is your new password. If you’ve been pwned—see #1—then use this as your new password. For anchor sites like Google or Twitter or Linkedin, change your password there as well, since these can in the future become your main authenticator.
Multiple Site Paranoia
More recently I’ve been using my own long one sentence mnemonic as my high-entropy password—I’m very confident it’s uncrackable.
Unfortunately, I didn’t use this technique with the Linkedin account I set up years ago, and hence I am one of the victims.
Can you use this same high-entropy password on multiple sites that are also guarded by TFA?
I’m not that paranoid so I would. But experts will tell you that even TFA has man-in-the-middle vulnerabilities and maybe somehow they launch a brute force dictionary attack against your encrypted password …
If you really want to avoid having to change multiple accounts if you’ve been hacked, then you may want to customize the one sentence story.
Here’s what I came up with. Balancing complexity with convenience, I now make a small part of my one sentence story variable —pick a subject, verb, or object to be the variable part.
And then use some letter in the website name —please, not the first, but say the second letter — as the starting letter of another word to replace the subject, verb, or object.
If I want to reuse my “Bob the tiger” password, I could make the verb variable and use the second letter of the website name as the first letter of my new verb.
For Snapchat, my story might become: “Bob the tiger navigates across the savanna at 12 o’clock last Tuesday”.
For Twitter, it could read: “Bob the tiger walked across the savanna at 12 o’clock last Tuesday”.
You get the idea. You have a different password for each site.
For hackers who are used to quickly trying the cracked passwords on other sites besides the oringial, they’ll very likely go on to another victim when they fail to get in.