UK Edition
When Mark Zuckerberg first built Facebook in his Harvard dormitory, he joked about the disregard that the social network's early users apparently had for their security.
“I have over 4,000 emails, pictures, addresses… people just submitted it. I don’t know why. They ‘trust’ me. Dumb f***s,” he told a friend.
As it turns out, Zuck’s own security credentials don’t live up to the mark: On Sunday night, both his Twitter and Pinterest accounts were broken into.
The hackers that accessed his account – a group called OurMine – did not reveal or tweet anything damaging; they simply posted messages revealing that the account had been accessed.
The consequences could have been a lot worse, of course. Private messages or personal account information could have been accessed, especially if Zuckerberg was a little more active on the rival social networks than he is (his last tweet was in 2012 and he has pinned a grand total of four items).
But it’s not just this that should worry us. It’s the brutal simplicity with which the boss of the world’s biggest social network had his accounts compromised.
It was this simple: In 2012, hackers stole 117 million password and email combinations from LinkedIn. A few weeks ago, the cache was put up for sale on the dark web for around £1,500. Located in that list, reportedly, was Mr Zuckerberg.
His password, unbelievably, was “dadada”, itself a security nightmare: it would take under 25 seconds for a brute force attack to crack it, according to one password checker. No capital letters, numbers or any other device. In security rankings, it sits not too far above “abcdef” and “p4ssw0rd”.
Not only that, Zuck had the same password for Pinterest and Twitter as he did for LinkedIn. Once hackers had his LinkedIn password, it didn’t really matter how complex it was: it’s just as easy to copy and paste a 26-character string of gibberish as “dadada”.
Presumably, security on Zuckerberg's accounts for the properties he owns – Facebook and Instagram – is a little less leaky. “No Facebook systems or accounts were accessed. The affected accounts have been re-secured,” a spokesman said.
But still, Zuckerberg was following very bad practice. Of course he’s not the only one – Katy Perry, Keith Richards, Kylie Jenner and more all seem to have been compromised following the LinkedIn password frenzy (although it is unclear how many are related) – but you’d expect the face of Silicon Valley to be a little more savvy.
The thing is, he’s not alone. Nobody that I’ve spoken to since the LinkedIn hack emerged, even those that are almost certainly affected, has bothered to change their password, and most of them use the same one for everything.
The rules we’re supposed to follow are just too damn onerous: our dozens of online accounts are each supposed to have a different impossible-to-remember combination of letters and numbers.
The safest solution at the moment is using a combination of an online password manager and two-factor authentication, but this makes signing in to anything clunky and time-consuming.
Luckily, passwords are starting to die. Google is experimenting with getting rid of them, fingerprint technology is in every iPhone, and Mastercard is replacing passwords with selfies.
So-called biometric security, in which unique personal data is used to verify identity, will pose its own risks, but at least it should put an end to “dadada”.
Mark Zuckerberg’s password was ‘dadada’. What hope do the rest of us have?