In the last month, some high-profile individuals have been saying some pretty weird things online. Black Lives Matter activist Deray Mckesson endorsed Donald Trump on Twitter. Kylie Jenner announced on Twitter that she wanted an intimate part of Justin Bieber's anatomy. Katy Perry tweeted a desire to end her long-time feud with Taylor Swift. And Facebook CEO Mark Zuckerberg proudly tweeted that he'd been hacked.
The tweets were out of character because they came from hackers who had taken over their accounts. Thanks to the recent leaks of millions of LinkedIn and Twitter passwords, hackers have been wreaking havoc on the accounts of people with massive followings. In some cases, they're managing to break into celebs' other online accounts because they've reused the same password. Zuckerberg, who had his Twitter and Pinterest accounts hacked, was allegedly using the idiotically simple "dadada" as his password across multiple accounts. That's #DumbDumbDumb.
We've all been trained to live with the constant fear of the possibility of being hacked. Given how often hackers manage to raid companies' servers and get their hands on files of passwords, it's highly likely that at least one of your passwords is sitting on a hacker's computer. If the company had good security practices and if you've practiced good password hygiene, it's a long, complicated one that the hacker will be unlikely to decode. But if the company didn't have good security practices, meaning passwords weren't strongly hashed, or if the hackers got the passwords directly from users by putting malware on their computers, as reportedly happened with the Twitter passwords, then the hacker knows exactly what your password is.
That's not good! Especially if you have the terrible habit of using the same password across multiple accounts. (Learn a lesson from the Zuck! Don't do that! Use a password manager so that you can easily set up complex passwords for multiple sites.) But good news! There is something you can do that will go a long way towards protecting you even if a hacker does know exactly what your password is: two-factor authentication.
For sites that allow it, you can set up an enhanced security step so that, in order to log in, you need both a password AND a code that is usually sent to or accessed through your phone. It makes it much, much harder for an attacker to break into your accounts. Yes, it can be annoying if you are trying to sign in and can't find your phone, or if you're in another country and don't have cell service, but it means that you don't have to freak out as much the next time you see a "X SITE JUST GOT HACKED: 100 MILLION PASSWORDS BREACHED" story.
You can do this on Facebook, Gmail, Twitter, LinkedIn, many banks, and Amazon, among others. If a website you use doesn't have two-factor authentication on offer, it's essentially a statement that they don't care enough about your security.
Please, I beg you, turn this on to better protect yourself. It's such an increase in a user's level of security that in 2014, The Wall Street Journal's Christopher Mims actually gave out his password to the public because he felt comfortable with the fact that hackers wouldn't be able to get into his accounts due to his use of two-factor authentication.
It worked, though Mims did get a lot of annoying notifications on his phone as people tried to sign into his accounts. For the record, I don't advise just freely giving out your password.
If all those celebs who tweeted embarrassing things in the past week had been using two-factor, they wouldn't have found themselves having to scramble to get control of their accounts back and delete those old tweets. Learn from their mistakes and turn on two-factor authentication on every account you can.
Update: Yikes. Deray Mckesson was actually using two-factor authentication but the very determined hacker who broke into his Twitter account called his cell phone provider, Verizon, and convinced them to give them control of his phone such that they were able to intercept the SMS messages sent by Twitter.
In most cases, the hackers will not be that determined. But it does illustrate why it's better to have the second factor accessed through an app on your phone rather than sent to you by text message.