The first thing I saw when I woke up this morning was that someone had hacked into my Twitter. Yikes! Fortunately I was only a few minutes behind them. Thank you, Twitter, for sending an email that allowed me to immediately change my password. You get an A+ for security. All good in the hood.
But it reminded me that all of us are in danger from a less obvious source. Our accounts aren’t safe! Not because of strangers, but because of people we used to work with.
I consult with companies who grant me access to email, analytics, advertising, website, and every other kind of account. And they forget to remove me when we stop working together. I get a steady stream of updates on what’s happening:
- I see when your Facebook ads are being approved, and when you’re boosting posts.
- I see when you log into WordPress.
- I see your ticket sales on Eventbrite.
- I can still log into your Google Analytics.
This is unintentional. We don’t realize we’re going to stop working together, but it just kind of happens. And then I’m still on the accounts. Many of these services automatically notify me when one of the other admins takes an action.
Here’s how to check your user list in MailChimp
I recommend that you take a minute right now to log into your favorite Web services and check the user list. Deactivate anyone you’re no longer working with.
Then change your own password for each site.
The problem isn’t just that people can see what you’re doing—and may be costing you money if you’re still paying for their accounts—it’s that they may actually be creating a security risk due to unsafe passwords.
It’s also a big problem if people use the same password for every website. For example, the person who hacked my Twitter account could also get into the associated email account if the passwords were the same (they weren’t). LastPass automatically creates a different password for each website, which is another reason Yakov likes it.
Then he gave me a quick lesson on password security. The short story is that hackers use something called “rainbow tables” to figure out passwords, and the longer the password the more secure it is.
Here are password best practices for you and your colleagues:
- Use passwords that are at least 16 characters long and include letters, numbers, and one or more special symbols (like “_” or “@” or “!”).
- Use a different password for each website.
- Don’t give colleagues your personal password for any websites.
- Use LastPass or something similar, and ask all of your colleagues to do the same.
- Change your passwords regularly and/or every time someone leaves your company.
Featured download: Grab my Security Checklist for a list of places to check for unauthorized users on all of your accounts. BONUS: I’ve linked to instructions on how to manage users (click here to download).
Please, please, please take a few minutes to log into your favorite Web services and deactivate anyone you’re no longer working with.
Written by Mike Lingle — Read more practical suggestions for startups at mikelingle.com.