When it comes to financial accounts or accounts containing any sensitive information, security experts agree that you should avoid basing your passwords on personal data. But for many of us, that’s hard to do—passwords inspired by your personal life are just easier to remember.
Unfortunately, in an age where many people don’t think twice about over-sharing on social media, such passwords can be easy for hackers to crack. And while many websites now present security questions as an extra hurdle for hackers, too often the answers to those questions are readily available on social media profile as well.
“The more you post online that is real, the more people can discover about you,” said Whitney Hewatt, a lead security engineer at FINRA.
Here are seven ways hackers may learn information through social media that can help them access your accounts:
It may sound obvious, but it’s worth emphasizing—the updates that you post to your various social media accounts can give hackers valuable clues to what’s on your mind. If you constantly share stories about your children or your pets, for instance, hackers may consider using their names in their attempts to guess your password and security question answers.
On Facebook, in particular, users can indicate preferences for musician, movies, TV shows, books and more. If you use your favorite musician’s name in your passwords or security questions, for example, a hacker who’s seen your selection of “music” likes may have found his or her “in” into your accounts
Both Facebook and LinkedIn allow users to list their history of employment and schooling. But what might be good for your career isn’t great for your account security, at least not if your passwords are based on your professional and academic background. When attempting to guess your password, a determined hacker might try every single company you’ve worked for or school you’ve attended. Or, if a hacker already has your password, they may be able to answer the security question, “What was your high school mascot?” after a quick Google search, securing their way into your account.
Perhaps you don’t post about your pet chihuahua on Facebook, but you do belong to a Facebook group for chihuahua lovers. Or maybe you don’t mention your volunteer work doing math tutoring for children, but you do belong to a LinkedIn group for math tutors. Seeing that you belong to those groups can provide hackers yet more hints as to the contents of your passwords.
It’s not uncommon for women to list their maiden names in their social media profiles—it helps them reconnect with old high school pals who may not know their married names. So what’s the problem? “What’s your mother’s maiden name?” is often used as a security question. If hackers might figure out who your mother is—which is easy if, for instance, you’ve identified her in the “Family Members” section of your Facebook profile—they’ve got the answer to the maiden name question in the bag.
For eagle-eyed hackers, the right picture doesn’t need to say a thousand words—sometimes just one is enough. Before you post a photo or video to social media, check to make sure that it doesn’t include sensitive information such as, perhaps, a paper listing actual passwords. It’s a royally big mistake that none other than the United Kingdom’s Prince William can attest to.
In 2012, the prince’s official website released photos of him at work at the Royal Air Force. The backgrounds of those photos included computer screens featuring sensitive information and, as noted by the computer security site Naked Security, a paper posted on a wall clearly listing a user name and password.
And Prince William isn’t alone. In 2014, a CBS News report on the Super Bowl’s security command center, described as a “secret, first-of-its-kind command center,” accidentally broadcast the login credentials for the command center’s Wi-Fi to a national audience.
Even if you eschew traditional passwords in favor of biometric authentication you might still be providing hackers with ways to crack your accounts through your social media posts, particularly photos and videos.
Although perhaps unlikely, having biometric data hacked isn’t as far-fetched as it used to be, “given how we now have extremely high resolution cameras and videos,” said Hewatt. “It could be possible to obtain someone’s biometrics from a photo.”
You might assume that because you keep your social media accounts private, you don’t have to worry about hackers gleaning valuable personal information from your profile, posts and photos. Think again.
The fact is that the information you post on social media “is not fully under your control,” Hewatt said. “The rules can change without your input.” And when social media platforms change how visible they make your information, it’s up to you to update your settings so that certain data doesn’t suddenly become public.
Forget to do that and you might find that things you thought were private are actually out in the open—a veritable feast of intel for hackers.
So what’s a social media-loving account holder to do? You may not like the answer—it’s time to stop basing your passwords on personal information. Learn more about how to create strong passwords here.
For those concerned about remembering passwords, this may be less painful than it sounds. Password managers are always an option, Hewatt said. Password managers are sites and apps that securely store your various passwords for you, meaning that you’ll only have to remember one password: the one required to log in to a password manager.