When you think about identity theft, a few things probably come to mind immediately: social security numbers, credit reports, and your financial accounts.  Often overlooked, though, are social media accounts, which are an increasingly popular target for online hackers and fraudsters.

According to the 2017 Norton Cyber Security Insights Report, 34% of consumers or someone they know experienced “unauthorized access to or hacking of an email or social media account.”  Survey results published by the University of Phoenix in 2016 showed that nearly 2/3 of American adults with social media accounts believe their accounts have been compromised.

So what can you do to help prevent your social media accounts from being hacked?

1.  Stop Reusing Passwords

Historically, passwords have been a pain to manage: many organizations have forced password security policies on their users that can increase the risk that those passwords are compromised.  Complexity rules, expirations, and the number of accounts a user has to track across their personal and professional life often results in shared passwords across multiple accounts, significantly impairing the security of those accounts.  

Relatively short passwords that expire every 90 days and that only meet complexity requirements when the users add “!” to the end are common in workplaces today.  Unfortunately, per this Washington Post report, this practice is so common that hackers have adapted their techniques to it, rendering them only as secure as or weaker than the original, base password.

Passwords should be unique for each account

Reusing passwords dramatically reduces their strength.  Suppose you use the same e-mail address for multiple services like Twitter and Facebook and the credentials for one of those accounts is compromised.   Now suppose you reuse a base password of SuperSecurePW and alternate endings composed of one special character like a question mark and your base password is stolen.

The hacker can assume your e-mail address is the same and simply reuse the base password with varying special characters until one of them works, unlocking your account and allowing the hacker to impersonate you online to friends, family, and colleagues.  This can expose critical information that may assist in other targeted attempts to take over their accounts or that may make it easier for the hacker to defraud your friends out of money while impersonating you.

2.  Create Strong Passwords

Passwords are hard to remember, so we try to come up with ways to meet the minimum password security requirements without making the password too long to remember.  Unfortunately, this typically means we unintentionally make our passwords easier for computers to crack.  So how do you make a password that is secure and still relatively easy to remember?

The National Institute of Standards and Technology (NIST) is a government entity whose responsibilities include providing documented standards for government and business purposes.  In NIST Publication 800-63B, released in June 2017, they provided guidance on a better way to create secure passwords:

• Don’t create a “password;” create a “passphrase.”  Passphrases should be long, combining multiple words or phrases, to make the passphrase harder to guess.
• Complexity < Length.  Extra long passphrases are your friend: longer passwords are harder to guess, so worry a little less about having the right combination of capital and lowercase letters, numbers, and symbols and, instead, aim to create a long phrase.  Feel free to include punctuation, spaces, symbols, or numbers, but it’s character count that matters most here.
• Passphrases should be unique to you and something you can easily picture in your head.  “TeaCup,SittingontheMantle” is significantly more secure and easier to remember than “T3@Cup!”
• Don’t change your password periodically unless there are signs it has been compromised.  Frequent password changes just make it harder to remember your password, so don’t change them unless it’s really needed.

3.  Consider Using a Password Manager

Password managers are tools that help you securely create, store, and use passwords.  They can automatically generate long, difficult to guess passwords, automatically fill them into web pages, and encrypt your data so that your credentials stay safe, even if the password manager itself is hacked.  These tools work by having you create an account with a single, secure password.  This password protects all of the other passwords you store in the app, so it needs to be very strong.  There are dozens of password products on the market, but a few of the high rated and most convenient alternatives include:

• LastPass.  These guys have been in the credential management space since 2008.  LastPasses encrypts your information and stores it in the cloud so you can access it from anywhere.  They offer browser add-ins to help automatically fill web pages, they can automatically create secure passwords for you, and their web interface makes it easy to create and manage new ones whenever you need.  An added bonus of LastPass is that it can automatically change passwords on many sites with the click of a button if you have a reason to be concerned about your account security.  Their mobile app (for paid customers) will automatically fill many passwords on your Apple or Android devices.  The free plan will work for many people, but if you want mobile functionality, 2 Factor Authentication, or password sharing, that will set you back $24/yr.
• Dashlane.  Dashlane has been around since 2011 and offers many of the features found in LastPass.  Like LastPass, Dashlane is a cloud-based solution so you can use it from all your devices with ease.  For most users, Dashlane is going to have feature parity with LastPass, but with one notable exception:  Dashlane now features a desktop version of their software, which allows you to create and manage passwords right from your computer without help from an Internet browser.  The free plan is good for the first 50 passwords and includes 2 Factor Authentication, but if you have more than 50 accounts to remember, you’ll want the $60/yr premium plan.
• 1Password.  1Password works with your mobile devices and has a version to install on your Mac or Windows desktop.  The app shares the most popular features of LastPass and Dashlane (including 2 Factor Authentication), so you can be sure that the system will work for your password storage needs.  The interface is clean and easy to navigate, but they currently offer no free version.  Pricing for individual accounts comes in at $36/yr.

4.  Enable Two Factor Authentication (2FA) On Everything

When you log in to a website, you typically provide only two pieces of information:

1. Username (who you are)
2. Password (a shared secret)

The problem with this is that it is relatively easy to get someone’s username or e-mail address and, because of how frequently passwords are shared between sites or bad passwords are used, it is also pretty easy to figure out the right password combination using phishing attacks.  Phishing attacks occur when a hacker attempts to compromise a user account by getting them to click on links or use sign in pages that capture their user information and transmit it back to the hacker.    According to the 2017 Verizon Data Breach Investigations Report, users open 30% of phishing messages and 12% of them will click on the dangerous link or attachment in the message.  To take your account security to the next level, you should consider enabling Two Factor Authentication (2FA) wherever you can.

What Is 2FA?

2FA is a secondary piece of information that must be provided to complete the authentication (sign in) process.  If a hacker knows your username and password, but does not have that 2nd factor to complete the authentication, they are unable to sign into your account.  2FA protects your accounts from hackers and ensures you, and only you, can access them.  Components of 2FA include:

• Something You Know:  like a PIN number or answers to out of wallet questions
• Something You Have: like an RSA token, your smartphone, or a smart card
• Something You Are:  like your voice or fingerprint

For social media sites like Facebook or Twitter, 2FA can be available in multiple variations, but fall primarily into the category of “something you have.”  Some of the most common options:

• A code that is sent to your mobile phone via SMS
• A software token you copy from an authenticator app like Google Authenticator or LastPass Authenticator (among many others)
• A Push notification through the official app on your smartphone
• Hardware tokens like the YubiKey, which plugs directly into your PC or communicates with your smartphone via Bluetooth or NFC

How Do I Enable 2FA?

There are hundreds of sites that support 2FA and more are adopting it each day.  If you want to increase the security of your online accounts, you should enable 2FA wherever you can.  TurnOn2FA.com has created step-by-step instructions for how to do this on many sites.  Here are links to some major social media platforms you can explore now:

• Facebook
• Instagram
• LinkedIn
• Twitter

Securing the Internet might be complicated, but securing your accounts doesn’t have to be.  You can protect yourself and the people you care about by creating unique and strong passwords, by leveraging the tools and technologies available today to manage those passwords, and making it harder for hackers to get in by turning on 2FA.  

If you have questions or if you have thoughts on these suggestions, drop a comment below!