Twitter announced Thursday that it had found a bug in their system that stored users’ passwords in plain text. They asked all 330 million of its users to change their passwords even though neither a “breach or misuse” had been detected.
In light of this, I thought I’d share some practices I’ve taken up to prevent random folks from taking over my Facebook account and start sending strange links to people in my contacts list (among other things).
These are tools that store all your account logins and associated passwords, as well as help you come up with unique and strong passwords, so in the end you really only need to remember one, really strong password.
Yes, these are tedious to set up and require you to manually change every single one of your accounts’ passwords. However, it helps protect against two of the most common ways attackers get into your accounts.
- Easy to guess passwords. Because the job of remembering all the passwords you need is left up to your software of choice, you don’t have to rely on easy-to-remember and easy-to-guess passwords such as “password” or “12345678”.
- Reused passwords. If you (like I used to do), used the same password across many websites, you run the risk of having ALL your accounts broken into if just one website’s security is breached. Password managers help prevent this by allowing every single one of your accounts to have a separate, strong password.
As a bonus, it makes life so much easier once you set it up.
No more trying to come up with a variation of your usual password to meet a new account’s requirements, or agonizing over what new password to chose when you go reset a password and you’re met with the dreaded “new password can’t be a previous one.” Most password managers do a great job of generating a new, strong password and remembering it for you.
Two factor authentication
Again, this can seem annoying, but having to enter a second passcode generated on your phone every time you sign in means that even if an attacker from halfway around the world has your password, they’d still be SOL unless they somehow managed to grab your phone too.
The most common (and probably best) way this is set up is with an app, such as Google Authenticator. These apps use fancy math to give you a random, six-digit code that refreshes every few seconds to enter into whatever site you’re trying to log into. For its own accounts, Google also offers the option for you to confirm your identity through its app without a code.
A lot of other services still allow you to receive a verification code via a text message, but this method is questionable simply because it’s fairly easy to intercept texts.
Don’t take candy from strangers
Basically, if a stranger sends you a link, don’t click on it. If one of your contacts sends you a link with a vague or out of character comment, don’t click on it. Be wary of websites sending you an email out of the blue and telling you to follow a link to reset your login. At the end of the day, being careful is the best defense against having your account information stolen by an imposter website.
It’s also important to note that just because your browser displays a closed padlock symbol to the left of a web address doesn’t necessarily mean the site is legitimate. There are multiple companies that are able to give websites that padlock for free, not to mention that they have the potential to be spoofed.
These are just the tools and practices I’ve picked up over the years. They’re a good start and should be enough for most people, but if you’re the paranoid type I really suggest doing some research of your own to come up with a setup that works for you.
Updated 5/5: I edited the “Don’t take candy from strangers” section to remove any mention of a padlock (https) being a good indicator of a site’s legitimacy. H/t to my friend Maryn for helping me make this piece as accurate as possible!