Identity security is in the news yet again in 2016, as Mark Zuckerberg is the latest high profile victim of poor password management.
This time around, the consequences are pretty minor. But if the passwords at your business are breached, don’t expect to be so lucky.
Here’s what you need to know and what you need to do in light of the Zuckerberg password hack.
Photo Credit: Wired
The Quick and Dirty Rundown:
On June 5th, 2016, a peculiar message showed up on Zuckerberg’s Twitter: “Hey @finkd (Mark Zuckerberg’s Twitter handle) we got access to your Twitter & Instagram & Pinterest, we are just testing your security, please dm (direct message) us.”
The message was from a hacker group called OurMine. Their account with Twitter was promptly suspended. Twitter, Instagram, and Pinterest took swift action and the breach was quickly patched up and account control restored to Zuckerberg.
No harm, no foul, right? Not exactly. As founder and CEO of Facebook – a company that has about 1.65 billion monthly users, all of whom want their identities and credentials to be secure – it doesn’t look good. Time will tell how the breach affects public opinion of Facebook, but in the first day of trading on the Nasdaq after the incident (6/6), FB was still in the green.
What was the Cause of the Breach?
The security weakness is a familiar culprit: password reuse.
The hack is being linked to the 2012 breach of over 100 million LinkedIn passwords, which was back in the news just weeks ago as CNN reported the passwords being sold on the black market.
Apparently, Mark Zuckerberg’s LinkedIn password was one of those unencrypted passwords for sale. OurMine Team got their hands on it and easily accessed Zuckerberg’s accounts, as they were protected by nothing more than a password linked to a public username.
This is a perfect case study in the benefits of Multi-Factor Authentication (MFA) requirements.
How Big of a Problem is Password Reuse?
The mistake Zuckerberg made is an all-too-common one. People are just too busy (and too forgetful) to want to bother with good password habits.
The facts speak for themselves:
- The average internet user has 25 online accounts, 6.5 passwords, and waits an average of 3.1 months before changing passwords. [Halock]
- 73% of users have the same password for multiple sites. One-third always use the same password. [Digicert]
If it weren’t for password reuse, the LinkedIn password leak wouldn’t have been as big of a deal. All hackers could have accessed with the LinkedIn passwords would have been LinkedIn accounts. Instead, millions of accounts spanning from banks to social networks to enterprise identities remain at heightened risk.
What was Mark Zuckerberg’s Password?
According to the hackers, the password that was compromised was ‘dadada’. Talk about a horrible password! It falls woefully short of any reasonable password requirements.
What are People Saying?
“Quit using the same password for multiple websites.”– Katie Rogers, The New York Times
“All members should take care to manage and change passwords across other sites, avoid reuse, leverage advanced security features, and update often.”– LinkedIn Statement to Users
“Without [a password manager], we risk exposing sensitive data in a way that it can put other accounts at risk, particularly via a data breach of one site, which is becoming an alarmingly common occurrence.”– Troy Hunt, Creator of Have I Been Pwned?
Now onto the important question…
How Can You Stop this Type of Hack from Happening to Your Business?
Change Your LinkedIn Password
LinkedIn has continued to experience fallout from its 2012 breach in spite of its best efforts to “stop the bleeding.”
They have required active users to change up their passwords, but that doesn’t reach long-dormant accounts like Zuckerberg’s (who apparently hadn’t been testing the job market with his résumé in the last few years).
So if you haven’t logged in to your LinkedIn account in a few years, do yourself a favor and get in there and change your password. Then you had better wrack your brain to try to remember if that old password is in use on any other online accounts.
If you’re a systems admin, IT guy, or just an employee who cares about your company’s well-being, consider using the Zuckerberg hack as a “learning moment” and send around an email instructing the staff to do the same. If a former LinkedIn password is currently the only thing protecting your company’s valuable IT resources, then you might as well have a target on your back.
Of course, LinkedIn isn’t the only site to have been hacked. So take 2 minutes on this website to scan your email address for leaks in which it has been targeted.
Set Stringent Password Requirements
“A high-end computer can now crack an eight-character password in 5.5 hours.”– Halock
I don’t necessarily expect the average person to understand the importance of password complexity. But a Harvard-educated programmer like Mark Zuckerberg? I expected better than a six-character password with no capitalization or special characters.
According to the hackers, the password that was compromised was ‘dadada’.
Of course, the strongest password is irrelevant without secure storage practices. Always make sure that your identities are stored one-way hashed and salted. If you want some insight into rigid security practices, we’ve shared JumpCloud’s security practices on our KnowledgeBase.
Train Your Employees
Proper security practices begin and end with the user. So make sure to train (and re-train) your employees on the best practices for password security. Still, no amount of training can totally overcome the human capacity for error (and sheer indifference). That’s where the next method comes into play.
Employ a Password Manager
The New York Times published an article written by Katie Rogers on June 6, 2016 in the wake of the attack titled, “If Mark Zuckerberg Can Be a Hacking Victim, So Can You.”
Password managers give IT greater control over users’ passwords. A good password manager should enable admins to set password complexity requirements along with limitations on password reuse. Automatic password rotation can be enforced by a password manager so as to eliminate the possibility of an old password coming back to haunt you, like what happened to Zuckerberg.
At JumpCloud, we’ve been preaching the good word of password managers for years. Our Directory-as-a-Service® (DaaS) features a robust password rotation capability which when dovetailed with a password manager makes it much more likely that you’ll have unique passwords.. If you’re interested in securing your identities and gaining centralized control over user management, you can learn more about DaaS here.
Employ Multi-Factor Authentication (MFA)
As I mentioned above, MFA would have stopped the Zuckerberg hack in its tracks. MFA makes your passwords exponentially more secure by asking for multiple forms of authentication. A password is no longer enough, as a second token (such as keycard or a code sent to a user’s phone) is required.
Learn more about how to implement MFA here.
Want to Learn More about Managing and Securing Identities?
Here are three key resources to help you improve the security of passwords at your organization.
(1) 15 Security Threats
We put a spotlight on the risks of the LinkedIn password breach and poor password management last summer in this thorough list of the top security threats faced by IT. Just because you now know about the risks of password reuse, doesn’t mean you’re safe from the other 14 security threats.
An accompanying SlideShare for this resource can be found here.
(2) IT Password Security: Best Practices, Resources, & What to Avoid
This in-depth blog post offers up tips on how to make better passwords (that you can still remember) and gives a thorough run-down of best practices in password security for IT admins.
Check it out here.
(3) The 2020 IT Guide to Identity Management
We’ve made The 2020 IT Guide to Identity Management available for free online [link].
This PDF lays out the new Identity and Access Management landscape, along with the biggest challenges and the most effective solutions.
Will Businesses Learn from Zuckerberg’s Hack?
I hope so. But I wouldn’t count on it.
You wouldn’t believe how many businesses we talk to at JumpCloud who weren’t concerned about their identity security until it was too late. So many people think, “It could never happen to me!”
Don’t find yourself wishing that you had employed better security practices after it’s too late to do anything about it. Change your LinkedIn password today – and, even better, leverage a password manager, institute MFA for everything that you can, and think about a cloud-based directory service to manage your identity management strategy at your business.
Zuckerberg’s lucky that the only accounts of his that were compromised were relatively trivial social media accounts. If this account compromise got all the way up to the top of Facebook HQ, potentially compromising his $49B in assets… then this would be one of the biggest hacks of the century.