What’s this weird post on my social feed? Did my Facebook get hacked? Those were my first thoughts when I noticed something odd on my social media account. Does changing your password stop hackers?
Changing your password will prevent hackers from accessing your account. Updating your Facebook or any online account password at the first sign of an attack limits damage. Changing your password regularly also improves security.
Remember that passwords are only a portion of the security puzzle. There are some other crucial steps to take.
Password Hackers Explained
So, how did this hacker get my password in the first place?
The easiest ways hackers know your password is from data breaches, credential reuse, and social engineering. Attackers will find holes in company IT security and then steal account data. Users often reuse usernames and passwords across sites allowing access. Hackers can also use social engineering, including psychological or technical tricks, to get your information.
Other brute force methods prey on weak passwords that users generate themselves. Many hacker tools allow an attacker to guess many password combinations quickly. This method takes longer but can exploit poor password practices.
Then, what can hackers do with your password?
They will change your password to one they control. The step is to attempt to update your email address and other information blocking your access. Once your account is fully controlled, your username and password may help the hacker break into your unrelated websites. They may also attempt to use your account for financial gain, social disreputation, or gain control of other user accounts.
These outcomes can be scary stuff. Follow these tips to secure your online accounts, including social media services like Facebook, Twitter, and the like.
Tip 1: Update Your Password With One From Your Password Manager
Most users will update passwords using creativity to remember them in the future. This is the wrong approach. Passwords need to be long, unique and never reused.
A password manager usually includes a random password generator. Use a generator instead of your creativity for new passwords.
Store your newly generated password in the manager first, then update it on the target service.
Another sneaky tip is to…
Tip 2: Change Your Username Too
If your username is not your email address, for example, Twitter and Instagram, do not change this short username. Most sites also permit logging in with email addresses or even phone numbers.
But if the username is not essential, like Facebook, then updating your username to something random tightens your security.
If the username is your email address, we can still boost username security by adding a small change that doesn’t affect the function of the email address. Let me explain.
Adding a plus sign and additional letters in the first part of your email address will not break message delivery. Many email providers will ignore a plus sign
+ and any following characters up to the at
Look at the Gmail example below. Notice the current email address and compare it to the new email address.
|Current Email Address||New Email Address|
Gmail and many other email providers will ignore the addition of
Use any combination of characters between the “plus” and “at” symbols. I like to add the name of the service, allowing you to pinpoint where a leaked email address originates.
Be sure to test the new email address containing the plus sign before you update your account by sending a message from another email provider.
You can also ask a friend to help you test. Here’s a sample email or text message you can edit and send requesting your friend’s help. Copy and paste it.
Hey, I’m trying out a new email address. Could you send me a test email at _____? Thanks.
…or click this link to launch a pre-made email. Of course, update your friend’s email address in the “To” field and fill in your new email address in the blank _____ line.
After successfully receiving your friend’s test message, you can update your username in your website’s settings using the new email address.
Remember also to update your username in your password manager.
Next, add a reminder in your calendar to…
Tip 3: Update Passwords Regularly
You need to update your password regularly for your most important accounts like email, banking, and password manager.
Data breaches containing passwords are frequently months or years old. Changing your password every three months to one year for sensitive or secure accounts reduces the time that a password is relevant within a hacked data set.
For example, the commercial password manager, LastPass, has an automated password updater that makes the process easy. From their Security Challenge screen, you’ll find a section listing many services like Twitter that have an Auto-Change button.
For a free and open source (FOSS) alternative to LastPass, check out Bitwarden, which I’ve started using a bit more recently.
It’s also vital to…
Tip 4: Stop Reusing Passwords
Leaked usernames and password data might have come from one company. Still, hackers know that users are lazy and credentials are likely used on unrelated sites.
The ‘S’ in my SIMPLE password checklist says to Stop Reusing Passwords. Did you follow that advice?
But the hands-down best way to protect your accounts is to…
Tip 5: Turn On Two-Factor/Two-Step Authentication
The two most commonly used forms of two-factor authentication include the less-secure SMS/text message approach and the safer option, an authenticator app on your smartphone.
Other forms of multi-factor authentication include physical keys like a USB dongle and biometrics, most commonly a fingerprint reader and facial recognition.
Yes, changing your password can stop hackers from gaining access to your accounts. But, the password is only a piece of the broader security puzzle.
The weakest point in account security is the human using it. Poor security practices and under-educated users are the primary cause of most hacks. Don’t be a weak link.