To say that Burger King’s Twitter account got hacked today would be giving way, way too much credit to the guilty party. Fact is, most of these “hacks” are actually just somebody guessing the right password. No l33t hacking involved. Just a 12-year-old, a couple of cans of Mountain Dew, and a few minutes.
Frankly, it’s your fault.
Does this sound like you: You have two, maybe three, different passwords that you use everywhere online. One for most of the sites you visit, and maybe an “extra high security” one for your banking. Every year or so, you change your passwords.
You think you’re clever because you’re not using normal words in your password, instead substituting a 1 for a I, or a 0 for a O. So if your husband’s name is Dave, you’re using the password ILoveD@ve and you sit back, glowing in your cleverness.
Know this: The hackers are onto you. They’ve figured out the punctuation trick. They know you probably have a password shorter than eight characters. They know your password has some kind of way for you to memorize it — either the first letters of a common sentence, the name of your pet, and so on.
Step 1: Does your password meet the LaRD test?
Your password should pass my LaRD test: Length, Randomness, and Difference.
- Length: Stop using short passwords. Your password should be a minimum of 12 characters — 16 or more is even better.
- Random: Your password should be so random in its use of letters, numbers, and symbols that there is no possible way you could remember it. I’m talking something like this: >a]U86iRs7PTqRXc or idGu6pPN9(3w&tde or 2d3+PY*rxNjRuA3A.
- Different: You need a different password for every single web site you use. Yes, every single site. This will mean, of course, that you may have hundreds of different web site passwords. This is important because if a hacker breaks into one site and posts all the passwords (it’s happened before), anyone trying out that same password of yours on other sites will be thwarted.
I know what you’re saying: How on earth could I possibly remember one of those, let alone hundreds of them? Here’s the good news. You don’t have to.
Meet the Password Manager
I currently have passwords on 847 web sites. Each password is different. And I couldn’t tell you what a single one was if my life depended on it. I use 1Password, an excellent password manager to create long, random passwords and remember them for me. When I need to log in to a web site, I just hit Command-\ which tells 1Password to automatically drop the right password into that site. The application itself is managed with a single “master password” that only I know.
Even if I’m not at my main computer, 1Password has a mobile app in which I can look my password up.
Step 2: Two-Factor Authentication
To keep your account even more secure, some sites offer “two-factor authentication.” Don’t get scared off by the nerdy name — all it means is that there’s an extra step involved to log in if you successfully use a password on a computer that the site doesn’t recognize.
Here’s how it works for me: Every day, I log into Facebook from my main office computer. I use the correct password, and since Facebook sees the right password coming from the same computer every day, it learns that it can “trust” my computer. If I travel to, say, Florida and successfully log in using the right password from an airport kiosk, Facebook will consider that login suspicious (as well it should).
It’s similar to credit card companies who put a temporary hold on purchases that seem to be outside of your usual buying habit (“Uh… Tod doesn’t usually buy 144 boxes of infant formula in Romania… maybe we should check that out…”).
So Facebook, and other sites that offer two-factor authentication, make you confirm your identity by sending a short code (like 481955) to your cell phone via text message. Just enter that code when you’re logging in and the site will let you in and trust that particular computer from now on.
Sadly, few web sites offer this two-factor authentication. Those that do include Google, Facebook, Mailchimp, and Dropbox. Twitter does not yet offer this, so today’s Burger King login couldn’t have been thwarted by that.
Enough chatter. Do it now.
Even if all you do is use a different password on each site, you’ll be ahead of the game. Make a list of the ten sites you frequent the most, and change the passwords on them. Do it now. I’ll wait. 😉