For the Cracked

You log on to Facebook, and see twelve messages from your friends saying, “Hey, did you just send me a link about weight loss pills??”

Yep, your account has been cracked.

The main reason accounts get “hacked” is that their passwords are easy to steal. Maybe you left your account logged in and someone hijacked it, or maybe you’ve logged on using a computer infected with a key-logger.  Now that your account has been cracked, another concern is that if you have any other web accounts that use the same password, you have to assume that they have been compromised as well, and you will need to change those passwords too.

last pass asterisk icon I highly recommend that you set yourself up a Last Pass account. Let me preface this by saying RBG has no affiliation with Last Pass, it’s just a great enough tool that we use it ourselves, and recommend it for your personal use. Last Pass is a secure password manager, that stores all your passwords safely encrypted online. With Last Pass you set up a “master password” for your account, and the password manager keeps track of all your passwords for you, so you don’t have to try to remember them all. You can install the Last Pass plugin in your web-browser. Then all you have to do is sign in to last pass, and every time you log in to one of your accounts, it will ask if you would like Last Pass to store your login information.

You can organize your accounts into categories if you like, and there is a place for you to make some notes as well. Once your password is stored, the next time you visit that site while logged in to Last Pass, it can automatically fill in your login info for you. You can even tell Last Pass to automatically sign you in to your accounts without having to go to the login page if you like.

If you have an account that has access to sensitive information (like an amazon account that has access to your credit cards) you can have Last Pass prompt for your master password a second time before it fills in your information, in case you accidentally leave yourself logged in on a computer someone else has access to.

That’s all great, but there’s a few other reasons I highly suggest Last Pass, and I have a few other suggestions about general online security. I use Last Pass to store my personal and sensitive information like bank account numbers, credit card numbers, and so on, in “secure notes” – encrypted notes that allow me to automatically fill in forms on web sites, without having to go look up all that information. This also protects you by defeating key-logger software.

Last pass also has a password generator, and this leads me to one of the most important security tips I have for you – I highly recommend that you change all of your short passwords to long, secure passkeys: at least 12 characters long. Since you only have to remember your master password, and Last Pass takes care of the rest, you don’t have to worry about forgetting long passwords. All of my passwords are random 20 character long keys. There’s no way anyone is ever going to crack any of them by brute force, they are just too long. I have a different, random key for each account I use. If you have a commonly used account that you don’t want to have to bother logging in to Last Pass every time you access it, here’s a handy trick for you: use a formula to generate long, easy to remember phrase-based passwords. For example, maybe use something like “Mygreatfacebookpassword8” the formula for that would be “My (with a capital M) – great – the name of the account – password – and a number. You can fill in the name of the account, and always use the same number, and you have a long, easy to remember password.

Comic comparing hard to remember passwords to long, easy to remember ones.

Password Strength

Remember, because your passwords are stored in the cloud, you can access Last Pass anywhere you have an internet connection. I doubt you’ll ever need to access your passwords from somewhere that you don’t have internet.  But wait, there’s more… Last Pass also has an excellent security check feature. It will analyze all of your stored passwords, and show you how secure each of them is, as well as point out any duplicate passwords you are using. I used the security check to go back and change all of my passwords to unique secure ones, and I have well over 100 different online accounts. Last Pass made it easy.

You can also set up multiple users in your Last Pass account, so my wife and I both have user profiles. When she logs in she doesn’t have access to all my work-related accounts. RBG actually uses Last Pass Enterprise to manage all of the Account information we have to juggle.

Finally, here’s one last tip: if possible, always make use of multi-factor authentication. That means you will have a secondary security check in addition to your password. This is the single most important way to ensure your accounts are secure. Last Pass allows you to use several different methods of multi-factor auth. I opted to use the yubikey, a small usb-key, much like a thumb drive. In order to sign in to my Last Pass account, not only would you have to have my master password, but you would also have to plug in my yubikey.  The yubikey uses a small touch sensor – place a finger over the sensor, and yubikey  generates a unique encrypted code (that changes every time) to unlock your account. If you’d rather not buy a yubikey, you can also follow the instructions on the Last Pass website to set up multi-factor authentication with a print out grid that you keep in your wallet, or even a special portable program that you install on a thumb drive.

There are more and more online accounts offering multi-factor authentication options, and I suggest you make use of them whenever possible. (see this Lifehacker article) I use my Google accounts a lot – not only is my Google account secured by a long password, but you would also have to have my iphone in order to log in – I use a special app (google authenticator) that generates a random passcode that changes every few seconds. I use the Facebook code generator to secure my Facebook account. Now you may think that this is paranoid or overkill, but if someone got access to one of my accounts, they could do an incredible amount of damage, be it stealing my social security number, credit card numbers, or finding out private information with intent to physically harm me or my family; the way I see it you can never be too secure.

So please take these steps:

  • Get a password manager – there are other great password managers out there, but I personally trust and use Last Pass.
  • Change all your passwords to long, secure keys – ideally making use of the Last Pass security check and password generator.
  • Set up multi-factor authentication on every account you can – I really love my yubikey.

If you have any questions, please give us a call. We will be happy to help you in any way we can.  Please pass these suggestions on to anyone you know who you think may benefit from a more secure web presence.

Sorry you got “hacked” but I’m certain if you follow this advice it will never happen again.