I recently received a strange email – One welcoming me back to Facebook. I was an early adopter of Facebook but deactivated my account on privacy grounds many years ago so alarm bells started ringing immediately.
The first thing I did was check that I wasn’t being phished. Nope, the link was legitimate. That left only one explanation for it: My Facebook account had been hacked. I immediately logged in, changed the password and deactivated the account again.
Was Facebook as a company hacked? Almost certainly not. So how did this happen? I used the same password on multiple internet accounts which I’d guess you’ve probably done at some point. It wasn’t an awful password by any means – 12 characters long and it included at least one special character (like $&:@), one digit, uppercase and lowercase letters and was not a dictionary word or anything you’d find in print anywhere. I also didn’t use the special character to replace a letter (e.g. p@ssword) because I understand reasonably well how password crackers work.
The most likely explanation for this is that at some point in time another site got hacked and I had used the same email address and password on that other site that I used for Facebook. I know for certain that multiple sites I’ve previously been registered on have been hacked because of haveibeenpwned.com which is an excellent service that I highly recommend you sign up for. What happened is that one of those hacked sites either had my password stored without encrypting it or stored with weak encryption. Someone took that password along with the email address and logged into my facebook account. Doh!
I know this wont happen to me again with any other site because I took a simple piece of action around the same time I’d closed my facebook account. For a long time now I’ve been using a password manager. Password managers create and store different, ridiculously secure passwords for each site you log into. I now only remember 4 stong passwords:
– My laptop disk decryption
– My laptop login
– An SSH server that I like to be able to access from anywhere in the world (and yes, the fingerprint for it for those that know what that is)
– My password manager
My password manager creates and remembers different passwords for every site I log into. It makes passwords that look like this: EikgYr0i3enrZs6IS4bp. I have no chance of remembering it but I don’t need to. I have a browser plugin that sees I’ve gone to a site like gmail.com, asks the password manager for the username and password and fills in the login details for me. More importantly it would be more or less impossible for a password cracker to crack that password and even if that did somehow happen it would only affect one account.
Make the move yourself
It’s a whole lot less painful than you’d imagine to start using a password manager. Every time I logged into a service for the first time since getting the password manager I would change the password (just once). Log into LinkedIn with your usual password? Change the password to one generated by your password manager. Logged into reddit with your usual password? Change the password. Password manager generates the new one and remembers. Pretty quickly the number of times per day you do this heads towards zero. Sign up for a new account? Password manager generates the password and remembers it for you. Annoying bank requires a stupid password with lots of restrictions that needs to be changed every 60 days? Not to worry!
All in all, adopting a password manager is one of the best ways you can improve your online security.
Personally, I use an app called KeePass2. There are open source plugins that work for your favourite web browser and apps for your phone. It’s a little fiddly to get set up the first time but well worth the few minutes effort.
Like the idea but you’re not very technical? Privacytools.io recommends Master Password – https://ssl.masterpasswordapp.com/ though I haven’t used it myself.
If you’re looking for a convenient way to help protect your privacy and security online, check out our portable VPN router, the InvizBox Go.