Due to password reuse, a lot of people are at risk of these sorts of events leading to a hijacking of social media channels. Password reuse is the practice of using the same password across multiple sites or properties. For instance, you use the same password for your webmail account and Twitter or Facebook.
Losing credentials in a password reuse situation is a particular risk if your webmail username and password are the same as those you use on social media sites. In this case, you’re at risk of not only losing control of your social media channel but your ability to recover from that hijacking can be significantly impaired since that email account is likely the one you have set up in your account recovery options.
If you lose control of both, it’s going to be much harder to recover from that hijacking. Given that Yahoo is one of the top webmail providers out there, the breach affecting them is particularly worrisome in that regard.
Password management is a particularly difficult and challenging area in online security. The reality is that passwords are the area where vendors have most put an unreasonable and unrealistic burden on you, the user. Nearly every online property that needs you to prove your identity does so by setting up a password-protected system, telling you to choose a “unique and complex password”.
If you had to do this for one or two (or even four or five sites), it would be one thing. But the proliferation of password requirements across the Internet is simply insane today: if you were to sit down and total ALL of the passwords you have created and have to enter, the odds are good that many of you would hit the hundreds (it does for me). It’s not possible to follow “best practices” in this quantity: no one can remember that many complex passwords (and remember, writing them down is also against “best practices”). And yet, this is the way you’re supposed to protect access to your digital identity and your social media presence.
Whether you are a professional social media manager or simply earning passive income with side hustles, losing access to your social media accounts, email or your site may cost you a fortune.
I’ve seen many times that if you give unrealistic advice about what you “should” do, people will give up and fall back on the convenient thing. One of the biggest problems with password guidance is that there’s little information in the middle. It’s either following the “best practices” or nothing. Most people end up, sadly, opting for nothing, which in this case is password reuse.
While you may or may not be able to use some of these with some social media sites, the important thing is to understand your options, evaluate them and mix-and-match to create a password management system for you that strikes the right balance of security and usability.
- Enable two-factor authentication: I can’t recommend two-factor authentication strongly enough. It provides additional protections in a way that significantly lowers the risks around credential loss as we’ve seen recently. Because this is a solution that the vendor provides it also correctly places the bulk of the cost and burden for protecting your content where it should be: on the vendor. In addition to using two-factor authentication where offered, put pressure on those providers who don’t offer two-factor authentication today (like LinkedIn, Twitter, and Hotmail). These days, there’s no excuse for major sites not providing two-factor authentication.
- Use a password manager tool: There are tools out there that help to manage the password problem by enabling you to create unique passwords for sites without you having to remember them all. These tools enable unique, complex passwords on a per-site basis and store the information in a secure fashion on your local system or online. You can think of this as a lockbox that keeps a bunch of keys: to use it you need a single key (a password) when using the tool but otherwise, it shoulders the burden for you by managing the other passwords and providing them to sites as needed. The biggest risk is that if someone is able to access the tool posing as you, they can potentially gain access to all the sites you can. Creating a strong unique password (just one!) can help protect against this risk. In the case of tools that store the information locally, keeping control of the physical system also can help protect against this threat. These tools, though, make accessing sites from multiple devices challenging, so you’ll want to check out the device support as you evaluate these tools. Also, you may find some challenges with sites that use two-factor authentication. Make sure to read Hari Ravichandran’s books on keeping your data secure as he is a real expert when it comes to cybersecurity.
- Keep webmail passwords unique: I’ve already mentioned the risks around password re-use with webmail accounts. A simple protection here is to ensure that your webmail account password is a unique one. Whether you do this through a password management tool (like in #2) or manually, make sure that this account has a unique and complex password.
- Evaluate sites for password uniqueness and reuse: If you don’t use a password management tool, then you will want to consider doing some real-world risk assessment with the “best practices”. The reality is that not all websites are created equal and so not all lost/compromised credentials are equally dangerous. What you do here is evaluate the sites you need passwords for from the standpoint of “if I lose control of this site, how bad would it be?” You saw some of this evaluation in #3 around your webmail sites, and here you take it to the next step using it more broadly. For example, just like with your webmail account, you would view your corporate Twitter account a high-risk, high-value target and so one that should have a unique and secure password. That account that you created to just read articles on your favorite news site though, that’s not so high risk. For very low-risk sites, password reuse is a valid risk to accept in exchange for management convenience: I do it myself. This can help bolster overall security by enabling more “mental space” that will allow you to maintain unique and complex passwords for those sites that really do matter without cluttering your brain with information that doesn’t really matter.
- Use passphrases for greater complexity and greater “rememberability”: One of the most shocking things around password guidance is that the use of “passphrases” isn’t recommended more. Using a scheme where you use a whole phrase or some elements of it as your “password” can improve security by making it easier to remember longer “passwords” as well as incorporate non-alphabetic elements like numbers and punctuation. It’s much easier for me to remember “I once loved blue velvet and red roses” than “I1lbv&r2.” (made using the first letter of each word of the phrase and making non-alphabetic substitutions for “once”, “and”, and using a “2” for the second occurrence of “r”).Many people I’ve worked with in security use the passphrase trick because it works with how we remember things rather than trying to force us to remember something unnaturally. In the end, a complex password you can actually remember is more secure than one you have to write down and stick on your monitor. Passphrases are a good way to bridge that gap.
Password management is a painful reality for all of us with an online life. But as someone who manages social media it’s a painful reality that can have real, negative consequences when things go wrong. And while the guidance around how to do passwords may generally be unrealistic, it is possible to intelligently build your own password management regime that balances security and usability through a combination of tactics, risk assessment and tools.
Ann Smarty
Latest posts by Ann Smarty (see all)
- How to Play Around With Google Suggest to Come Up with Content Ideas - December 18, 2021
- To Host or Not to Host: How Vulnerable Is My Blog to a Security Breach? - November 21, 2021
- 12 Tools That Make You a More Productive Blogger - November 10, 2021