In the last few days, there have been some newsworthy examples of Famous People having their social media accounts hacked. The Twitter account for actor Jack Black’s band Tenacious D was taken over and posted fake reports that Black had died (not true). The Twitter account for model and reality TV star Kylie Jenner was similarly taken over and posted a number of rude or racist tweets. And Facebook founder Mark Zuckerberg, who is in the business of knowing better, had his Twitter and Instagram accounts hacked.

At least some of these hacks, including Zuckerberg’s, seem to use data from recently released account data stolen from the LinkedIn professional networking site in 2012. So we know, for example:

  • Mark Zuckerberg’s password on LinkedIn in 2012 was “dadada”.
  • His LinkedIn, Twitter, and Instagram passwords are (or were) all the same
  • Those passwords hadn’t been changed in four years
  • He didn’t enable basic protections to prevent strangers from accessing his account.

Don’t be that guy. Take a few minutes to be safer online.

1. The Basics

Get new passwords. If you can’t remember the last time you changed your Facebook, Twitter, or Instagram passwords (along with other social media sites you use), then it’s time to change them. Today.

Get separate passwords. Nagging posts like this usually tell you to use different passwords for every site. You know you aren’t going to follow this rule to the letter. But please at least use different passwords for accounts that are highly valuable to you or to hackers: your WFU login, Facebook, Twitter, Instagram, and any online banking or finance sites you use.

Get good passwords. There is a lot of online advice about how to pick a good password. Like this. Just remember that dictionary words and common phrases are relatively easy to hack, but unbreakably random passwords are impossible to remember. An alternative is to use the initials from a phrase you’ll always remember, so “Nobody expects the Spanish Inquisition! Our chief weapon is surprise!” becomes NetSIOcwis. Another alternative is to use the unbreakably random passwords and let your computer remember them for you. More on that below.

Hold on to your passwords. Never send a password by e-mail; no legitimate site will ever ask you to do that. If you follow a link to a login page, double check the address bar to make sure it’s the correct site. In both Firefox and Chrome, the name of the site will be in bolder text than the rest of the address.

2. The Basics Plus

Go beyond passwords. Many sites, including WFU logins, support multi-factor authentication (aka login verification or 2-step verification). This is a technology that requires you to know your password and also be able to do something else that proves you are you, like accessing your mobile phone. A common way for this to work is, the first time you login to an account from a computer you haven’t used before, you are prompted for your password, and then the site will text you a verification number. Correctly enter that number, and you’re good to go. An alternative is to install a mobile app that continuously generates new authentication numbers; rather than wait for a text, just use the current number generated by that app. I currently use Google Authenticator to access Google, Facebook, and Dropbox accounts.

3. Pro Tips

Go all-in on random passwords. In a world where someone is using (and is still allowed to use) a password like “dadada”, just think how much stronger your password will be if it’s “x7juj3Ei2yO8XM!R6F4R”. A password management program like KeePassX or LastPass has the ability to generate those strong passwords and securely save them for you. Then you can rely on either the password manager or your browser’s own functionality to automatically enter them on web forms.

Of course, that means you really, really need to remember the password to your password manager. I recommend a sealed envelope with nothing but the password (no information what it’s a password for) in a locked desk drawer, lock box, or safe.