Even celebrities like Mark Zuckerberg use easy passwords that get hacked. Until there is a better way, you need help managing your passwords.
The recent news of celebrity social media accounts, including Mark Zuckerberg’s, being hacked should be seen as an important reminder to how valuable passwords are. Who knows if the cybercriminals that hacked the accounts just tweeted strange things or if they went a step further and read the celebrities’ direct messages or more.
Most people create easy passwords like these and never change them
Most people create an easy to remember password when they sign up for a service and never bother to change it, ever. This, however, is a huge mistake that many people, including Mark Zuckerberg make.
Hackers hacked Mark’s Twitter and Pinterest accounts and tweeted “Hey @finkd [Mark’s Twitter handle], you were in Linkedin Database”. This of course, doesn’t confirm that the hackers gained access to Mark’s account via the LinkedIn data dump, but IF this were true, it would mean that Mark had not changed his LinkedIn password in four years.
Mark wouldn’t be the only one to not change his password for an account in years. In October 2015 we conducted a survey and asked people around the world how frequently they change their passwords. In most countries, more than half of the people said they “rarely” or “never change their passwords”:
Rarely or never
Data breaches are nearly a daily occurrence now and this case proves that hackers can silently sit on hacked data for years before making it public.
Hackers can hack into a network using various methods, such as spearphishing or by exploiting a system vulnerability.
While a hacker or group of hackers that steal login credentials is dangerous, the situation gets much worse when they decide to post or sell the data on the darknet. A hacker by the name “Peace” is now selling data from the 2012 LinkedIn data breach on the darknet for 5 bitcoin (around $2,200). The data includes the emails and passwords of 117 million LinkedIn users. That’s 0.001 cents per contact. Anyone with a bit of cash who knows their way around the darknet can now purchase these credentials and do as they please with them.
If Zuck’s Twitter and Pinterest accounts were hacked using his LinkedIn credentials from 2012, it would not only mean that he hadn’t changed his password for years, but it would also mean that he used the same password for multiple accounts. This is a major no no!
If you use the same password for your email account and, for example, your LinkedIn account, hackers could access all of your emails as well. Not only that, but they could also request password changes to nearly any other online service you use. Since the hackers would have access to your email, they can access password change verification emails that are sent by services when a password reset is requested.
Again, Mark is not the only one who may not have changed his password after a major data breach. In the same survey from October, we asked respondents who claimed they had been the victim of a data breach what actions they took after they found out they had been affected. In all countries, only about a third of respondents said they changed their password for the website that was hacked. Even less changed their passwords on websites where they used the same password:
Percent of respondents that changed their password after finding out they were the victim of a data breach
Percent of respondents who changed duplicate passwords on other sites after a data breach
Passwords are like keys in the physical world. You probably don’t use the same key to protect your house, safe, and car and you shouldn’t use the same password to protect more than one online account. The first thing hackers do when they gain access to login credentials is try them out on other popular accounts, as most people treat passwords like master keys that open everything. And while it may be convenient to use similar passwords for each of your accounts, cybercriminals can figure out patterns and easily crack them, so make sure you use a unique password for each of your accounts.
You should make sure you use strong passwords that are more than eight characters long, include upper and lowercase letters, special symbols and numbers.
Change your passwords on a regular basis. Even if none of your accounts have been involved in any known data breaches, they could still be at risk. The data dump of LinkedIn credentials from 2012 that recently surfaced proves that hackers don’t always make hacked data public immediately after a hack.
You’re probably thinking: “How can I possibly remember strong, unique passwords for every account I have?” and rightfully so. That’s why you should use a password manager.Avast Passwords is an easy-to-use, cross platform solution that makes managing your passwords convenient and the premium version even alerts you if your email address popups in a database of hacked accounts.
Learn about the latest breaches, the biggest breaches, and what you can do to keep yourself and your information protected with our Avast Data Breach Survival Guide.
On May 2, celebrate World Password Day by leveling up the strength and complexity of these most critical of security measures — your passwords.