Has it happened to you? Strange reports from friends of receiving spam from your account coupled with an inability to login to your own email? Your password has probably been compromised. Keep reading to find out how to control the damage right now and how to better guard against future attacks.
A password that’s been compromised can be a serious problem, especially for those who tend to use one password across all of their accounts. Though email may be a relatively minor breach in security, if that same password unlocks your more important accounts you could be looking at a major threat to your identity. In the event that your email account is threatened, it’s time fortify all your other accounts with stronger passwords.
Hackers can use your email account to access your other more important accounts by simply going through the “forgot password” systems. These systems typically only require access to one’s email as a source of validation. You can see how taking control of someone’s email can effectively grant hackers access to any account they choose. The following guide will help you cope in the event of a compromised email account.
Fortify your email accounts
Quick response is key when dealing with a compromised account. If there’s even a hint that something’s amiss, secure your account immediately. If a friend reports receiving a suspicious email from you about needing money wired to a strange place or solicitation for some product, get to your computer as soon as possible and start locking things down.
Recovering and resetting
Typically, you’ll need to either recover or reset your password. The process can vary some depending on the email service you’re using, Hotmail, Gmail, or Yahoo! Mail. Each of these services allows you the option to specify whether or not you believe the password has been stolen.
When you change the password, be sure it’s completely different from the old one. Incorporate a variety of alphanumeric characters and temporarily jot it down if necessary. The most important thing right now is securing the account. Once you’re logged into the account, follow these steps:
Turn on double authentication
If this feature is available, enable it! In all likelihood, you’ll want to go back and disable it again later (it can be a hassle to deal with) but for now it’s extremely useful in solidifying the security of your account. As the name implies, double authentication requires that two methods of identification be satisfied before a password can be reset. Typically, a mobile phone number will be needed in addition to the email address.
Comb through your settings
After you’ve enabled 2 step authentication and reset your password, you’ll want to thoroughly go through your settings to make sure everything is normal. You might want to start by: confirming that the listed recovery email is an account that you control, updating the password questions with answers that only you would know, and looking over the mail forwarding settings to make sure no one has set up your email to forward to a 3rd party.
A note about password questions and hints: password recovery that’s based on question and answer is notoriously vulnerable as basic information, thanks to social media quizzes and social media itself, is easy to acquire. A simple way to dramatically increase the efficacy of a question/answer recovery system is to make the answers about someone else. Try answering the questions as if you were your mother, a fictional character you like, or any third party of which you have significant knowledge.
Follow these steps diligently and don’t forget to go through your settings to ensure there will be no future surprises.
Change any passwords that are connected to your email
Email is the catalyst through which most of your other accounts function, effectively making it the gatekeeper to all your most important information. When someone gains access to your email, they gain access to just about every other online account that you’ve used your email to register for. This means that in the event of a compromised email, your Amazon, iTunes, Google, credit cards, and social media accounts have effectively been compromised as well. As time consuming and annoying as it may be, you’ll need to completely overhaul the passwords for every account. The bright side is that you’ll be virtually inoculated against any future attacks.
Use a password manager
Some people choose not to use password managers for reasons ranging from “I have a great memory” to “I can’t trust them”. We know, we heard you. If you’re determined to use only your memory to manage all of your passwords that’s okay, but your passwords are likely to suffer because of it. When your memory is your only tool, you’ll tend towards less varied and unique passwords; which will cost you some in security. Refusing to use a manager for your passwords is a lot like doing long hand math because you have something against calculators; it doesn’t make sense not to use a calculator and it doesn’t make sense not to use a password manager. Try using LastPass or KeePass. They’ll integrate right into your browser and they’ll enable you to use only unique passwords for each of your accounts.
Look through your inbox for registration notifications
It’s easy to recall those frequently used passwords such as with Facebook or your bank. However, there are probably dozens of other accounts and services that require a login that’s so infrequently used that you can’t even recall the username.
Search for the notifications using keywords such as “reset”, “verify”, “username”, “welcome to”, “password”, “account”, “login” or a combination of words like “verify account” or “reset password”. It’s a hassle, we know, but if you do this with a password manager once you’ll never have to conduct the hunt again.
Create stronger passwords
Password managers like LastPass make easy work of this tip. LastPass comes with a password generator that will create highly unique passwords at the click of a button. A password as individual as “Wyy1nNngh7dfUwerMyo2” will never be compromised, and with an additional click the manager will go ahead and assign that password to the account of your choosing.
If you’re still not on board with getting a password manager, there are some rules to live by when manually creating a unique password:
Make your password longer than the required minimum
If they require 6-20 characters, create a password with as many characters as you’ll be able to remember.
Avoid using traditional spelling
A password that follows the dictionary spelling of a word leaves you open to being compromised with just the scan of a dictionary file. Also avoid including your name, portions of the email or login itself, or any other basic information like your street name or company. Additionally, leave out any commonly used keyboard combos such as “asdf” or “qwerty”.
Use a passphrase in lieu of a password
When you aren’t using a manager to store all your random passwords, changing them to passphrases may help you recall them. Your iTunes account, for instance, could be unlocked with an easy to remember passphrase like “I love music”. Then you can condense the phrase into a less traditional, more password-like form; i.e. “!luvmuzik”. Still easily remembered, still relatively strong.
Stay on top of password management from here forward
Be careful not to revert to old habits after the shock of a breach has faded. It’s like the dentist-effect: you diligently brush and floss just before a checkup and swear up and down the habit will stick from now on. Then a few weeks later you’re back to passing out on the couch after a pint of Ben and Jerry’s.
Damage control after a compromised password is a headache, and that’s assuming nothing major was done with your stolen credentials. Save your future self some hassles and remember these tips moving forward:
Each service needs to have its own unique password
It’s like a fire suppression system; if you’ve got one in every room of your building, you increase your odds of containing the damage to one area. If a shopping website you occasionally visit is compromised, it won’t take your email down with it.
Update your passwords
You may need to make a habit of updating your passwords, particularly if you frequently access your email using public Wi-Fi. Logging in to your accounts when connected to a publically accessed Wi-Fi leaves you open to key-logging and other methods of hacking. Again, if you can get on board with a password manager, frequently changing your passwords can be painless because you’ll only have to remember the one password to unlock your manager and email.
Securely store all your passwords
No matter how you choose to store your passwords, make sure it’s secure. If you must have them written down, store the list in a fire safe. If you’ve chosen to use a password manager, make sure the password to open it is very strong. If you prefer to list them in a text document be sure you encrypt it, don’t just let it sit in the MyDocuments folder. Think of your list of passwords as a passport to all of your digital information.
Only transmit your passwords if it can be done securely
Never email a password, or a list of passwords, to yourself in plain text. This is a lot like mailing a postcard with a list of passwords on it; whoever touches it en route will be able to see the information. Do not, under any circumstance, email or IM your passwords.
Never share a password
Just as you should avoid sending passwords to yourself via email, you should avoid sharing passwords with anyone, period. There’s no reason for your friends to know it, no reason for your boss to know it, and definitely no reason any legitimate businesses would need to know it. When it comes to sharing your passwords, the rule of thumb should be not to.
If you’ve been following along, then by now you should find yourself firmly in control of your email and online security with a list of securely stored and unique passwords. There’s one more thing you should do. Do the Good Samaritan thing and share this article with all those friends you recently spammed. Chances are, they’re on the verge of a password fiasco of their own.
Was this article helpful? Feel free to share your opinion in the comments below and learn how to tell if your computer is infected with malware.