You’d think Mark Zuckerberg, creator of Facebook and one of the tech industry’s current leaders, would have secure passwords. He’s been on the receiving end of hacks for a while now, so of course his personal passwords are some randomized collection of characters jumbled together by an algorithm, right? Nope, and that speaks to a deeper problem with security on the internet.
How Mark Zuckerberg Got Hacked
A hacking collective calling itself OurMine Team managed to get into Zuckerberg’s Twitter and Pinterest accounts. That would be embarrassing enough, but how they got in is even worse. First of all, Zuckerberg’s password was “dadada.” While we can respect any man who puts his love of German synthpop band Trio front and center, that’s far from the most secure of passwords. For a password to be theoretically secure, it needs to be at least eight characters long, contain uppercase, lowercase, and symbols, and can’t contain any identifying information. Musical preferences aside, this is pretty embarrassing for a man who runs a company that collects data on roughly a seventh of the world’s population.
Worse, though, is how the collective got the password. It appears that Zuckerberg is the most visible target of the “historical mega breaches,” enormous hacks of passwords and usernames from websites that remain unreleased for months or years, only to turn up later and make users’ lives a misery. The collective got Zuckerberg’s password from the notorious LinkedIn breach of 2011, and he’d just never bothered to change it. Or, perhaps, he didn’t even realize he was using the same password for all his social media accounts.
The good news is that his Facebook, and the depths of Facebook’s code, remain uncompromised. This is just Zuckerberg’s personal accounts. But if we’re being fair to Zuckerberg, the problem isn’t just with human nature; it’s with how passwords themselves are designed.
How To Build A Better Password
The irony is there’s nobody who hates passwords more than the people who build password login pages. Microsoft recently created a “blacklist” of stupid passwords as a security measure for Windows. MasterCard is ditching passwords and PIN numbers altogether in favor of making you take a selfie. Yes, duck face is a better security tool than a “strong” password.
The issue goes beyond the fact that “Password1” is technically a “strong” password. The passwords we’re told to build are increasingly easy for computers to solve through “brute force,” because they’re usually short and thus have a limited number of iterations. But they’re complex enough that they’re difficult for us to remember. That reduces security on two fronts: One, it means breaches will become increasingly common as more computer power can be thrown at guessing passwords, and two, it means we’re more likely to fall victim to what hackers call “social engineering.”
Social engineering is pretty simple, really: Just use human frailty to figure out passwords and other data. If you’ve ever gotten a robocall from Rachel from “Card Services” or an email claiming your Facebook password needs to be changed from email@example.com, you’ve been on the receiving end of social engineering attempts. And they’re crude because it doesn’t take all that much effort, sheer volume will often do the trick. Back in 2003, security researchers got most of an office to cough up their passwords in exchange for a pen, and things have not improved since.
How We Can Be Safer
For now, it’s mostly up to us to keep our passwords secure and our data safe. With your passwords, the best thing to do is to stick to the rules and use longer, more complicated passwords where you can and where it really matters. Also make a point of using different passwords for crucial material like bank accounts, financial documents, and social media.
As for counteracting social engineering, keep hanging up on Rachel and deleting the Belieber, but more importantly, don’t blithely accept that people are who they say they are. If you get a phone call from a human being claiming an issue with your credit card, for example, thank the caller for their concern, tell them you’ll call back, and then dial the 800 number on the back of your card to confirm the issue. If somebody calls your office claiming to be the IT guy, tell them thanks for the tip and you’ll put the IT guy in your building right on it. When it comes to your data, if you don’t have any proof the person you’re talking to is legit, don’t assume that they are.
In possibly just a few years, passwords will be just one part of a larger continuum of security measures that include chip-and-PIN tools on your credit card, iris scans, facial recognition, and much more. Until then, the responsibility of protecting our data falls to us.