Over at BuzzFeed, John Herman wrote that Twitter Warns Journalists: “We Believe That These Attacks Will Continue” and he provides the text of Twitter’s detailed advice to news and media organizations to secure their Twitter accounts.
News Flash: Every company with a web presence is now a news and media organization.
As public companies increase their use of social media to disseminate important information to investors, based on recent SEC guidance, their social media accounts create attractive targets for hackers who might seek to manipulate those companies’ stock prices.
Increasing Your Social Media Account Security
UPDATE: Twitter enabled 2FA on May 22, 2013. Under Settings in your account, scroll down to Account Security and check the box to “Require a verification code when I sign in.” After you sign in on your computer, Twitter is supposed to send a 6-digit numeric code to your phone that you must enter into a Login Verification page to access your account. I tried it twice, but never received the code to my phone. With 2FA activated, you will need to generate a temporary password to sign in to your Twitter account on other devices and apps. Click here to learn more.
It’s unfortunate that Twitter requires subscribers to use their handles as their username (e.g., @jfbrashear in my case). The handle is public, so a hacker has to guess only the password. It is also unfortunate that most websites require subscribers to use email addresses as usernames.* That practice discourages subscribers from using different usernames to log onto different web accounts.
One vector that hackers use to learn a web account password is to enter a published email address into a password reset webpage, like this one for Yahoo!, that allows for responses to security questions. If your stored answer to the security question is one that is accessible online (e.g., the name of your high school) or one that is easily guessed, the hacker gains access to your email account. If you used that same email account for other web accounts, the hacker can have those accounts send password reminders or resets to your now compromised email account. That way, the hacker gets access to multiple accounts.
One trick you might use is to make up a fake response to the security question – but one that you’ll easily remember. Another trick is to use unique usernames (disposable Yahoo! email addresses) for your different web accounts. That way, a hacker would have to guess a distinct email address for each web account.
For some particularly sensitive accounts that allow a non-email username, I will generate a long, random-character username. I suspect that’s too much trouble for most folks, who simply use their main email address as their username across multiple sites. If they also use the same password in multiple places, then a hacker hits the jackpot by guessing one password.
I use minimum 12 character passwords for my web accounts and they are rarely the same on any two websites. They’re a mix of numbers, letters and characters, with no dictionary words. I use long, randomly generated passwords for the most sensitive accounts (e.g., financial services). Some websites’ password rules specify shorter passwords, won’t allow special characters, etc. So, it’s not practical to use the same long, random password everywhere.
Password Management Utilities
The problem, obviously, is remembering all the different user names and passwords for input on all the devices from which you access online accounts (work PC, smartphone, tablet, home PC). The BuzzFeed post mentioned two password managers, but I personally use and prefer Roboform Everywhere with a strong master password. These utilities also can generate passwords and fill in online forms with your name, addess, etc.
None of the password managers automate periodically changing the password. Until they do, my opinion is that if I use a strong password, there is little to be gained from changing it to another equally-strong password.
Social Media Engineering
Finally, it doesn’t matter how strong your password is if you are fooled by a phishing email into entering it onto a spoofed webpage. That’s apparently what happened at AP that led to its Twitter account hack, according to Jim Romenesko.
Learn to recognize phishing emails. This online test was suggested by our IT security folks.
Be suspicious: if you get an email asking you to click a link in order to log into a web account, close the email, open your browser and log into the account directly. That’s another benefit of a password management tool. They won’t fill in your password on a website they don’t recognize from a prior visit.
* A separate topic is the loss of privacy of using the same identifying information – your email address – across multiple websites.