Recent Study Finds Social Media Passwords Just Don't Get Changed

Social media can be a great way to connect to people. It can also be a great way for us to become connected to the cybercriminal world. Consider all of the information that we display in what is a public forum when we complete profiles on Facebook, LinkedIn, or Twitter. We post status on our days, how our kids are doing, where we are going or did go on Vacation and on LinkedIn and other business networking sites, we display where we work and often our roles and responsibilities. It’s easy to see who our colleagues are as well. This is how the cybercriminals take advantage of us.

Phishing and spear-phishing are rampant and it doesn’t take a rocket scientist to perpetrate a phishing scam. In fact, various scams come wrapped up for sale in neat little packages these days. They can attempt to get online account credentials using forms that pop up on a screen or download malware to your computer in the background just because you clicked a clever link on Facebook. They can also spear-phish for W2 information or convince someone to wire frauds to a criminal’s bank account.

Always be aware that these scams and attacks are taking place all the time. If someone gets a password from a social media account, significant damage can be done. You’ve likely seen warnings from friends that their accounts were “hacked” and whatever that last embarrassing post was, it really wasn’t from them. But that is the least of the trouble that can ensue. Consider what can happen if someone takes over your social media site and sends a malicious link to everyone connected to you? Not only will it annoy your friends and colleagues, but it’s also a very efficient way for ransomware, for example, to affect a lot of people.

In February, the company Thycotic conducted a survey at the RSA Security Conference in San Francisco. It found that 53% of users of social media sites had not changed passwords in over a year. Even more startling was that 20% had never changed them at all. On top of that 25% change their work passwords only when they are reminded or required to do so. In 2016, over 3 billion sets of user credentials and passwords were stolen. That calculates to around 95 every single second.

Changing passwords should be part of everyone’s regular routine, like changing batteries in the smoke detectors; only more often. Doing this will prevent them from being reused later in case of a release of old data, for example. Yahoo announced a couple of different breaches last year. Data was posted publicly on the company’s users that was from a few years earlier. A similar incident happened with Last.fm, MySpace, and Tumblr. If your password is changed often, then you won’t be caught out by situations like that.

In addition, always make sure you don’t include personal details in your passwords and that each one is unique to a corresponding online account. Password reuse really does happen and is being blamed more often these days. It was blamed for the UK National Lottery breach last year as well as incidents with the music streaming service, Spotify and the income tax company, TaxAct.

Unfortunately, the security industry isn’t necessarily practicing what it preaches. The same Thycotic Survey found that approximately 30% in that field are still using birthdates, pets and kids’ names, and addresses for their work passwords.

© Copyright 2017 Stickley on Security