How to Protect Your Email Account from Hackers
by Bella Rum
Guess what? Not only was my snail mail box smashed this week, but my email was hacked, too. When I attempted to gain access to my Yahoo! email account on Tuesday night, I was confronted with this message from Yahoo!
We strongly believe your account may have been compromised.
By changing your password immediately, you will minimize the resulting risk for your Yahoo! account. We suggest you choose a password for your Yahoo! account that you are not currently using on this or any other site. You will be prompted every time you try to login to change your password until you have successfully changed it.
For help selecting a strong password and/or safeguarding it against misuse, please review the tips posted in the password section of the Yahoo! Security Center.
Someone had blown right through my password. I soon learned that I was one of the lucky ones. I could still get into my mailbox and change the password. That isn’t always the case. I thought I had a pretty good password. I’ve always made fun of H because his is way to simple and obvious, and look who gets hacked. Miss Smarty Pants. I’ve since learned that I made a few mistakes, and there are some easy changes I can make to improve my chances of preventing another incident.
It is not uncommon for people to have weak passwords for their email accounts. They aren’t as concerned about their email accounts as their bank account or their 401k or other financial sites, but hackers often don’t go after financial sites because they have stronger security. They try easier targets like your email.
Once inside, they can do all kinds of nefarious things – like locking you out by changing your password or changing your alternative email address (more on this). They can send spam to everyone in your address book and beyond, and they can do illegal things – all in your name. When your friends click on a link in the email, it can take them to a site that exposes them to the possible download of malware on their computer. Talk about the gift that keeps on giving.
Email providers are offering more storage space. It naturally follows that more personal information is being stored in email accounts. What do you have in those folders? Some people store passwords, bank account numbers, usernames, correspondence, etc.
More importantly, do you use the same password for more than one account? The biggest obstacle standing between your information remaining secure or being compromised, is the password you choose. Learn how to make it a good one.
You’re thinking, I don’t receive or store anything sensitive in my email, but your email box may be connected to your online banking account, or you may receive correspondence from your bank or other financial institution. Once inside, the hacker can log into the bank’s site, claim to have forgotten the password and have it emailed to you/him. And remember, he can change your password so you can’t get into your mailbox.
Now you’re thinking, even if they get into your email account, how could they get past those “password resetting” questions? Those silly questions may be the weakest link of all. Hackers get a lot of help from social sites like Facebook and MySpace and websites. Personal trivia isn’t quite so personal anymore. You might be surprised how much someone can learn about you on the Internet. How many of us have revealed personal details online? Our dog’s name or our son’s birthday or the college we attended or our hometown, etc. The secret to good security questions isn’t found in the question but rather the answer (more on that later).
In How I Stole Someone’s Identity, Herbert H. Thompson writes a chilling tale about how he conducted an experiment to see just how vulnerable people’s accounts are to mining the Web for information. Some people have posted their Résumés online, replete with professional and personal information. They offer information about a person’s state of residence, age, employment, education. Some websites are virtual fountains of personal details. Some people tell more about themselves on their websites than in real life. As I’m writing this, I realize I’ve given birthdays of family members on this site. Thankfully, I’ve never used any of those dates for passwords or pin numbers.
All of this tells us what? We should toss the computer out with the bathwater? Too late. The beautiful and ever interesting little monster has become a member of the family. The only sensible answer is to learn better ways to protect our information. Here are a few tips.
What do you do when your email account has been compromised?
1. Change the account password and make it an extremely difficult one.
2. Confirm that the “alternative email address” is your other email and not a stranger’s, so the hacker isn’t notified of the password and other changes you make.
3. Change the answers to security questions.
4. Change any other information that your email account administrator would use to verify the account.
5. If all these efforts fail, open a new account, notify the email administrator and your contacts, and closed down the old account, if you can.
Choosing a Secure Password You Can Remember
There are a number of methods for creating a memorable and secure password. Here are a few suggestions.
1. Make sure your password is at least 8 characters long (Microsoft suggests 14).
2. Do not use words or phrases that have personal significance: birth dates of family members, names of family members, pet names, the last four digits of your social. We’ve already discussed how more of your information is available to hackers than you may realize.
3. Don’t use the same password for everything. If it’s compromised, the rest of your identity is at risk.
4. Don’t use words in the dictionary.
5. Create a password that is composed of three of these character classes:
- lower-case letters: abcd…
- upper-case letters: ABCD…
- numeric: 1234…
- non-alphanumeric: !@#$<,”…
5. You could try using the first character of each word in a phrase, song or poem to create a mnemonic.
- Let’s try “My friend has 2 daughters and 1 son: Sarah, Carol and William.“
- Take the first letter of each word: Mfh2da1s:S,CaW
- You can shorten it for sites that do not allow fourteen characters.
6. Don’t use keyboard patterns (asdf) or sequential numbers (1234)
7. Create an acronym. Don’t use a common one, like NASA or SCUBA. Combine it with numbers and punctuation marks.
Microsoft has a password checker that determines the strength of your password – weak, medium, strong. If you play with it a little, you’ll get the hang of it.
This password checker tells you how long it would take to hack your password.
How to Answer Those Lame “Password Reset” Questions
When it comes to security questions, you’re looking for memorable and unexpected. Good security questions and answers have a few essential characteristics.
The answer to a good security question:
- can’t be easily guessed or researched (cannot say this enough)
- doesn’t change over time
- is memorable
- is definitive or simple
Some sites allow you to create your own question. If your account offers this option, take it. Make the question about something no one knows about you or an object, not a family member or school you attended or the best man at your wedding or your child’s nickname. Too many people already know that. They wouldn’t even have to search for it on the Web. You want the number of possible answers to be very high, and the possible selection of any one specific answer to be very low. With which hand do you write? Not good. Only two answers. Now might be a good time to change that question – “Who’s your favorite aunt.” to “Who’s your favorite family member.” The trick is to create a question that will have an answer that’s memorable for you but unexpected for the hacker.
Danah Boyd offers this about security questions:
I’ve instituted a consistent tactic for answering stupid security questions. It’s an algorithmic approach. The basic structure is:
[Snarky Bad Attitude Phrase] + [Core Noun Phrase] + [Unique Word]
Although these are not my actual phrases, let’s map them for example:
- Snarky Bad Attitude Phrase = StupidQuestion
- Unique Word = Booyah
Thus, when I’m asked the following question: What is your favorite sports team?
My answer would be: StupidQuestion SportsTeam Booyah
And when they ask: What was the first car you owned?
I’d respond: StupidQuestion Car Booyah
It’s easy to remember a snarky bad attitude phrase and a unique word that you use consistently. And then to make sure you’re answering the right question (cuz they do have scripts that check that you’re not answering all questions the same way), you just have to be able to pick out the noun phrase each time.
Let’s face it, we love the convenience, entertainment, and horizon-broadening quality that computers bring to our lives. Our world can no longer turn on its axis without them, but we must exercise caution. Being secure in the knowledge that we will receive our mail safely now requires more than planting a new post in the ground when someone knocks it down. I’m sure some of you have already been hacked and wised up long ago. This was a first for me, so I finally did the research I should have done before this happened. There’s much more information out there about this topic. I won’t even go into “brute force attack.” It’s too frustrating and this post is already too long.
I leave you with this. Consider what someone might learn about you by visiting your blog, Facebook, MySpace, Twitter, etc. I’m certainly not suggesting you give up any of that, but be wise about how much you reveal, and where you reveal it, and the potential consequences of revealing it. And DON’T use any of that information in passwords or security questions. Take precautions. The superhighway is a jungle.