Lessons From Mark Zuckerberg's Social Networking Account Breach
NEWS ANALYSIS: Facebook founder and CEO Mark Zuckerberg made a mistake that many, perhaps most, people make and reused passwords for some social networking sites.To some extent, the breach that got Facebook's Mark Zuckerberg was more an amusing lesson than a catastrophe. Zuckerberg's LinkedIn login information was taken in the massive breach of that service four years ago, but it wasn't made public until a few weeks ago. When hackers found Zuckerberg's password, they tried it in other places, briefly hijacked his Twitter and Pinterest accounts, and then bragged about it online. Fortunately, Zuckerberg has a top security team, so the password problem was fixed almost instantly. Apparently, Zuckerberg overlooked the passwords on some accounts that he uses only infrequently, and when they were set up years ago, nobody thought much about security. Today they do. One of the basic rules about security when it comes to passwords is that you should have unique passwords for every place you visit online that uses passwords and that you should change them periodically. This is a good rule, and if everybody followed it, we'd see fewer breaches like the one that caught Zuckerberg. But almost nobody follows the advice because it's hard. Really hard. Think of all the places where you enter your user name and password and add them all up. It will certainly be in the dozens when you count your corporate, financial and sensitive services, such as your medical records. Then add your social media sites, recreational and shopping sites, and you could start getting into the hundreds. This would mean that you create and keep track of hundreds of unique passwords that are complex enough to preclude guessing.
It also requires making sure they can't be guessed because user names are frequently known publicly, what with the current trend of requiring your email address as your user name on many sites. This means that a hacker really only has to guess one thing to get into your accounts—your password. So it needs to be good.