Yeah, I changed my password last … never
We’re talking the talk, but not walking the walk when it comes to changing our passwords every now and then to lessen our chances of being hacked. A recent survey finds that one-third of social networking users have never changed their passwords for their accounts, and another 15 percent say it’s been more than a year since they’ve done so.
The findings reveal a “startling disconnect between user concerns about privacy and security and their actions on social networking sites,” said Randy Abrams, director of technical education for ESET’s Cyber Threat Analysis Center.
ESET, a security software provider, commissioned Harris Interactive to do the poll among 2,027 adults ages 18 and older from May 31 through June 2; about two-thirds of those surveyed say they have social networking accounts like Facebook or Twitter.
The survey also found that one in 10 online Americans with such accounts have reported that “an unknown party gained unauthorized access to their social networking account to spread malicious links and comments.”
That’s “particularly alarming since unauthorized access can threaten account owner’s cybersecurity as well as that of their contacts — we’ve seen countless examples, including recent scams around the death of Osama Bin Laden,” Abrams said on ESET’s blog.
Another contradiction: Slightly more than two-thirds said they are concerned about privacy issues, “yet 55 percent of the account owners update their privacy settings less often than once every six months, if ever.”
Abrams calls that “problematic,” especially with Facebook making it “extremely difficult to know when you need to change settings because they virtually never advise users when they are making changes that may affect user privacy.” (Interestingly, another software security company, ZoneAlarm, on Tuesday gave Facebook props for its privacy protections.)
Still, we get what ZoneAlarm is saying: It’s up to users to do things like change our passwords — and often.
Abrams says he’s “unaware of a scientific formula for the optimal period for password changes.” But, for a site like Facebook, changing your password every three to six months would be a start.
“Events like breaking up with a vindictive partner, finding that your computer or smartphone has been compromised, etc. would tend to mandate a password change sooner rather than later.”
And if you use the same password for all your online accounts, including social networking, email and other sites, you could be asking for trouble big-time; might as well change that password “every 5 minutes,” Abrams says. And he means it (and recommends users check ESET researcher Paul Laudanski’s blog, “No chocolates for my passwords please!“)
“When you use the same password everywhere it only takes one Sony-style mistake to compromise all of your accounts,” Abrams says. “Remember, your passwords are on the Internet, and they are not entirely under your control. Is your password a word in any language? A number such as 12345? If so, then perhaps an interval of once every 10 minutes is appropriate. To put it simply, you can’t change your password often enough if you are using a poor password.”