To some extent, the breach that got Facebook’s Mark Zuckerberg was more an amusing lesson than a catastrophe. Zuckerberg’s LinkedIn login information was taken in the massive breach of that service four years ago, but it wasn’t made public until a few weeks ago. When hackers found Zuckerberg’s password, they tried it in other places, briefly hijacked his Twitter and Pinterest accounts, and then bragged about it online.
Fortunately, Zuckerberg has a top security team, so the password problem was fixed almost instantly. Apparently, Zuckerberg overlooked the passwords on some accounts that he uses only infrequently, and when they were set up years ago, nobody thought much about security. Today they do.
One of the basic rules about security when it comes to passwords is that you should have unique passwords for every place you visit online that uses passwords and that you should change them periodically. This is a good rule, and if everybody followed it, we’d see fewer breaches like the one that caught Zuckerberg. But almost nobody follows the advice because it’s hard. Really hard.
Think of all the places where you enter your user name and password and add them all up. It will certainly be in the dozens when you count your corporate, financial and sensitive services, such as your medical records. Then add your social media sites, recreational and shopping sites, and you could start getting into the hundreds. This would mean that you create and keep track of hundreds of unique passwords that are complex enough to preclude guessing.
It also requires making sure they can’t be guessed because user names are frequently known publicly, what with the current trend of requiring your email address as your user name on many sites. This means that a hacker really only has to guess one thing to get into your accounts—your password. So it needs to be good.
And now we come to the problem that confronted Zuckerberg and which almost certainly confronts you now. How do you create those passwords and how do you keep track of them? It’s a daunting task, especially in cases where it’s an account you rarely use.
Fortunately, there’s an answer. Password managers are available from a variety of sources. They’re frequently free for individuals, but there are also enterprise password managers. There are a couple of very nice, very secure password management devices for situations when software on your computer or in the cloud just isn’t secure enough.
For years, I’ve used the password manager from Mandylion Labs for things that are really important. This is a token that will create complex passwords for you, and it will keep track of up to 50 logins. You can access the token through a keypad and small screen or through a USB connection. The keypad requires a coded set of button presses, and if you get them wrong, it can lock the token or erase it completely.
Not everyone is ready for a password manager with military-grade security, so there are plenty of software password managers available. Most will work on Windows computers and on Android and iOS devices. Some will also work on Mac OS devices.
Lessons From Mark Zuckerberg’s Social Networking Account Breach
All of the password managers I’ve seen and used recently will support a wide range of logins on nearly any site you can reach online. Most of them work in the background, and a few will audit your passwords and tell you if you have duplicates and then will help you find a new password and make changes.
Probably, the most popular password manager is LastPass, which is available in free, paid and enterprise versions, and supports virtually any computer or mobile device. Unlike some competing products, it works on Windows and Mac computers but also runs on Linux and Unix machines and supports a wide range of mobile devices running iOS, Android, Windows and others.
For those who want a familiar name in security, Norton offers its Identity Safe password manager, which is free for individuals and runs on Windows computers and on Android and iOS mobile devices. Symantec (which owns Norton) makes its VIP Access Manager for enterprises, which is designed to work with a variety of directory management services, including Lightweight Directory Access Protocol (LDAP) and Active Directory.
LastPass and the Symantec products are cloud-based software that store passwords in a secure cloud environment. Or at least it’s supposed to be secure, although LastPass had a breach of its password hint file for its master logon a couple of years ago.
There are password managers that exist on only one device, which may be more secure, but are much less useful now that nearly everyone has multiple devices that they use for most online activities.
LastPass has one benefit in that it also stores its password vault on the device itself, so you can still log in to sites you need, even if the LastPass cloud storage isn’t available or if you don’t have an Internet connection. The Norton software requires an Internet connection, and the Symantec enterprise software can keep its data in your internal cloud.
At this point, I can’t tell you which of the many similar password managers are the best, and this is certainly not a comprehensive list. But if you’re overwhelmed by the daunting task of keeping up with your password, this are a good place to start. And you should start, because not doing so is a quick road to insanity, or at least an embarrassing breach.