Last week Facebook reported an important data breach that resulted in between 50 and 90 million accounts potentially compromised. This is more serious than the Cambridge Analytica issue reported earlier this year, because unlike that infamous case, this last breach provided attackers with access tokens for these accounts.
“The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login,” said Guy Rosen, Facebook’s Vice President of product. Imagine the following scenario then: someone shares on Facebook their favorite vacation spot from Airbnb, and the hackers use the stolen token to access his Airbnb account and get information about the rental properties that this user owns. Any site that relies on Facebook’s Single Sign-On, like Airbnb or Spotify to name a few, is affected by the data breach.
Even though it’s unclear if any of these accounts or access tokens were actually misused in any way (Facebook is still investigating), many security experts recommended affected users to reset their passwords as an added precaution measure. I was one of the affected users, and when I found myself struggling to define my new Facebook password (the 3rd one I’m forced to use in 2018), I knew it was time to stop using Facebook’s login and start using a password manager.
For years, I’ve avoided using a password manager by setting up complex rules that helped me “generate” my own passwords in a way that I could easily remember them. But with so many recent security breaches around the tech I use, I’ve become increasingly tired of trying to keep this mental system fresh and secure. So after last week’s incident, I decided to finally migrate. My rationale is that as long as I trust the new recipient of my passwords, and their delivery mechanism is convenient for an everyday use, I can use the craziest passwords without having to remember them, and I can also change them as often as I want.
The obvious next step was to decide whom to trust with all my passwords. There are many third-party options out there that make it easy to share passwords between different ecosystems (for those who use a MacBook and an Android phone, for example), but all of them require some sort of payment to unlock their full potential. I use iOS and Mac OS X across all my devices, so I was really happy when iOS 12 introduced autofill support for password managers. Here’s a great analysis of the best third-party options available, compiled by PCMag:
The Best Password Managers of 2018, by PCMag
Some options like 1Password have extra benefits like telling you when is the last time you changed a password, or like alerting you when a vulnerability is detected on a specific site, so that you can update your password right away. Regardless, the seamless integration of Apple’s iCloud Keychain with their entire ecosystem made me settle for that free solution. Apple’s security meets my expectations by encrypting the data with a key that is unique to each device that you approve; passwords cannot be read either in transit or once stored remotely on iCloud.
Getting started with iCloud Keychain was really simple since I had already set up two-factor authentication and I didn’t need to re-approve my devices. Updating passwords from my old system to Apple’s strong passwords was a slow and tedious process, and I must admit that it felt weird setting up all my accounts with passwords that I will not be able to remember in a million years. I also had some syncing issues between several iOS devices, but the fix was as simple as logging out my iCloud account and logging back in to restore the latest version on my Keychain. In the end, the benefits exceed my small annoyances.
As people store more and more sensitive data online, the impact of a security breach grows. Passwords are an important layer of protection for accessing online banking, email and social media, so it’s critical to follow best practices around online security: use strong passwords as the first layer of defense, but don’t stop there, never repeat passwords between different services (especially banks and emails) and enable two-factor authentication everywhere you can.
Did you like this article? Subscribe to get new posts by email.
View all posts by Ivan Rodriguez
Originally published at geekonrecord.com on October 1, 2018.