Forget Your Password
Yesterday, I received an email from Instagram asking me if I had requested a password reset. I knew immediately what was happening and, thankfully, I had actually prepared for it earlier this year. Someone was trying to hijack my account.
I have around 8,000 followers on my commercial photography Instagram account. It’s a following I spent years cultivating and growing. It’s not massive, but it’s also not nothing. I don’t use Instagram as much as I used to, or probably as much as I should. It had become so laborious and just monopolized a lot of my time, but it is still an important asset for my business.
I know and have read about a number of photographers and people with high follower accounts who have had their Instagram accounts hijacked. The common issue among most of those accounts is that they used relatively simple passwords and the result was always the same — none of them got their accounts back.
If you use a common password on many sites, stop. Stop doing that. Right now. Forget Instagram for a moment. All it takes is one security breach, one hack, at one company, one website, to jeopardize all of your accounts, your financial stability, and even the security of your identity.
Up until last year — LAST YEAR — I was using a super-strong universal password. I had checked it out on password security checker website that told me it would take something like 15 quadrillion years to crack with today’s computers. Awesome. No one would guess my password. It was easy to remember. I definitely felt safe.
And then, Capital One got hacked. Along with 106 million others, my password was exposed. A password that I used on more than 200 websites. Now, nobody ever needed to guess it. They could just find it and start trying to access my accounts on other websites, which is exactly what started to happen. Luckily, the second I found out about the hack, I went to work securing all of my accounts.
So, for the sake of today’s episode, let’s assume a hack just occurred and your password, no matter how secure or insecure, is out there in the wild west of the web. Here’s what you need to do to protect yourself.
Using a Password Manager
Download a password manager, such as LastPass. I like LastPass because it’s one of the most robust password managers out there. It works on almost every device, has extensions for every browser, native apps for Windows and macOS, generates strong passwords with options for different levels of readability and up to 99 characters, and LastPass even monitors the dark web for data breaches. LastPass is free, though I strongly recommend upgrading to a premium plan.
Most browsers nowadays have password generators and managers built-in, and if you’re using those, that’s great. But a password manager like LastPass works outside of just browsers and websites and securely syncs across your devices.
After downloading and installing LastPass, I checked Chrome’s password manager for all the sites where I used that password and systematically started logging in and changing my passwords to super-strong, really long, unique passwords generated by LastPass for every single site. For the websites that allow it, I use 99-character passwords.
So, now, instead of having one hard-to-guess password that I use for 200+ websites, I have 200+ passwords that are each only used for one website. And I don’t know a single one of them. According to one secure password checker, my password for Facebook would take “4 QUADRILLION QUINQUAGINTILLION YEARS” to hack. To put that into perspective the universe itself only 13.8 billion years old. That’s only nine zeros.
Go download LastPass, install it and start changing all of your passwords immediately. Every single one of them.
2FA or (2-Step Verification)
The next thing you want to do is to enable two-factor authentication for every service you use that has it. That means Google. That means Facebook. Twitter. Square. PayPal. Squarespace. Zapier. Discord. Even your Epic Games and Ubisoft account.
This might be the only time I recommend putting a process into place that actually introduces more friction into your productivity. But. It. Is. Important! Two-factor authentication can be annoying. Yes, it can be frustrating when you’re trying to get something done and suddenly you have to stop, go get your phone, open an authenticator app and look for the verification number to login to a service. But I guarantee you it’s not as annoying as someone stealing the Instagram account you’ve spent seven years on, or say, identity theft.
The best two-factor authenticator app out there is Google Authenticator, for Android and for iOS. When I was researching this episode, it surprised me to find out that Apple doesn’t have an authenticator app but relies on trusted devices and trusted phone numbers, which is not at all secure if you lose your phone or someone steals your device. Texts are not secure, so should not be used a primary verification method. Use an authenticator as your primary source of verification, set up a phone number as a back-up, and save your recovery and back-up codes securely as notes in LastPass.
Ideas for Custom Security Questions
Finally, many websites will ask you to answer security questions. If there is an option to create custom security questions, always take that option. The five qualities of a great custom security questions are:
Safe: Cannot be guessed or researched.
Stable: Does not change over time.
Memorable: Can be remembered.
Simple: Is precise, easy, and consistent.
Many: Has many possible answers.
I’ve put together a few examples for you:
What city were you in on 9/11?
What was your childhood nickname?
What is the full name of your childhood archnemesis?
What was the nickname of your stoner friend from college?
What was the first camera you owned?
Where were you when you had your first kiss?
Who did you lose your virginity to?
Who is at the top of your celebrity hall pass list?
What is your favourite verse from your favourite religious text?
