In last month’s column, I talked about what to do if your social media channel is hijacked. In starting that column off, I mentioned the then-recent announcement that by LinkedIn that up to 6.5 million user account credentials were breached. Since then, we’ve seen announcements by a number of big social media sites of similar issues. Last.fm, Formspring, and and Yahoo have all had to announce that user passwords have been lost and have put users through the process of resetting those passwords.
In general, the main impact of these events has been an increase in spam and a lot of headache for users. We’re not hearing of these breaches leading to social media site compromises or hijackings.
But the fact of the matter is that due to password re-use, a lot of people are at risk of these sorts of events leading to a hijacking of social media channels. Password re-use is the practice of using the same password across multiple sites or properties. For instance, you use the same password for your webmail account and Twitter or Facebook.
Losing credentials in a password re-use situation is a particular risk if your webmail username and password are the same as those you use on social media sites. In this case, you’re at risk of not only losing control of your social media channel, but your ability to recover from that hijacking can be significantly impaired since that email account is likely the one you have set up in your account recovery options. If you lose control of both, it’s going to be much harder to recover from that hijacking. Given that Yahoo is one of the top webmail providers out there, the breach affecting them is particularly worrisome in that regard.
Password management is a particularly difficult and challenging area in online security. The reality is that passwords are the area where vendors have most put an unreasonable and unrealistic burden on you, the user. Nearly every online property that needs you to prove your identity does so by setting up a password protected system, telling you to choose a “unique and complex password”. If you had to do this for one or two (or even four or five sites), it would be one thing. But the proliferation of password requirements across the Internet is simply insane today: if you were to sit down and total ALL of the passwords you have created and have to enter, the odds are good that many of you would hit the hundreds (it does for me). It’s not possible to follow “best practices” in this quantity: no one can remember that many complex passwords (and remember, writing them down is also against “best practices”). And yet, this the way you’re supposed to protect access to your digital identity and your social media presence.
I’ve seen many times that if you give unrealistic advice about what you “should” do, people will give up and fall back to the convenient thing. One of the biggest problems with password guidance is that there’s little information in the middle. It’s either follow the “best practices” or nothing. Most people end up, sadly, opting for nothing, which in this case is password re-use.
I said in my first column that security is an exercise in risk assessment and management. And so, here I want to give you some additional options that you can evaluate and use to make managing your passwords more realistically secure. While you may or may not be able to use some of these with some social media sites, the important thing is to understand your options, evaluate them and mix-and-match to create a password management system for you that strikes the right balance of security and usability.
- Enable two factor authentication: I’ve spoke about this in my column on Facebook as well as my recovering from hijacking column. In terms of vendor-provided solutions, I can’t recommend two factor authentication strongly enough. It provides additional protections in a way that significantly lowers the risks around credential loss like we’ve seen recently.Because this is a solution that the vendor provides it also correctly places the bulk of the cost and burden for protecting your content where it should be: on the vendor. In addition to using two factor authentication where offered, put pressure on those providers who don’t offer two factor authentication today (like LinkedIn, Twitter and Hotmail). These days, there’s no excuse for major sites not providing two factor authentication.
- Use a password manager tool: There are tools out there that help to manage the password problem by enabling you to create unique passwords for sites without you having to remember them all. These tools enable unique, complex passwords on a per-site basis and store the information in a secure fashion on your local system or online. You can think of this as a lockbox that keeps a bunch of keys: to use it you need a single key (a password) when using the tool but otherwise it shoulders the burden for you by managing the other passwords and providing them to sites as needed.The biggest risk is that if someone is able to access the tool posing as you, they can potentially gain access to all the sites you can. Creating a strong unique password (just one!) can help protect against this risk. In the case of tools that store the information locally, keeping control of the physical system also can help protect against this threat.These tools, though, make accessing sites from multiple devices challenging, so you’ll want to check out the device support as you evaluate these tools. Also, you may find some challenges with sites that use two factor authentication.
- Keep webmail passwords unique: I’ve already mentioned the risks around password re-use with webmail accounts. A simple protection here is to ensure that your webmail account password is a unique one. Whether you do this through a password management tool (like in #2) or manually, make sure that this account has a unique and complex password.
- Evaluate sites for password uniqueness and re-use: If you don’t use a password management tool, then you will want to consider doing some real-world risk assessment with the “best practices”. The reality is that not all websites are created equal and so not all lost/compromised credentials are equally dangerous. What you do here is evaluate the sites you need passwords for from the standpoint of “if I lose control of this site, how bad would it be?” You saw some of this evaluation in #3 around your webmail sites, and here you take it to the next step using it more broadly.For example, just like with your webmail account, you would view your corporate Twitter account a a high-risk, high-value target and so one that should have a unique and complex password. That account that you created to just read articles on your favorite news site though, that’s not so high risk. For very low risk sites, password re-use is a valid risk to accept in exchange for the management convenience: I do it myself.This can help bolster overall security by enabling more “mental space” that will allow you maintain unique and complex passwords for those sites that really do matter without cluttering your brain with information that doesn’t really matter.
- Use passphrases for greater complexity and greater “rememberability”: One of the most shocking things around password guidance is that the use of “passphrases” isn’t recommended more. Using a scheme where you use a whole phrase or some elements of it as your “password” can improve security by making it easier to remember longer “passwords” as well as incorporate non-alphabetic elements like numbers and punctuation. It’s much easier for me to remember “I once loved blue velvet and red roses” than “I1lbv&r2.” (made using the first letter of each word of the phrase and making non-alphabetic substitutions for “once”, “and”, and using a “2” for the second occurrence of “r”).Many people I’ve worked with in security use the passphrase trick because it works with how we remember things rather than trying to force us to remember something unnaturally. In the end, a complex password you can actually remember is more secure than one you have to write down and stick on your monitor. Passphrases are a good way to bridge that gap.
Password management is a painful reality for all of us with an online life. But as someone who manages social media it’s a painful reality that can have real, negative consequences when things go wrong. And while the guidance around how to do passwords may generally be unrealistic, it is possible to intelligently build your own password management regime that balances security and usability through a combination of tactics, risk assessment and tools.