Tuesday, March 12, 2013

Email Password security tips

Here are some general security tips to keep your email account safe.

1. Use a unique password for your email that you do not use anywhere else. The reason for this is pretty simple. Most websites when you register on them ask you to give them your email address. If you give that website your email address AND you use the same password that you used on your email login, you've just given that website access to your email account. Most websites are probably trustworthy. But what happens if that website gets hacked and someone steals all your registration information? Now some hacker has your email login information. So ALWAYS use a unique password for your email account that you do not use anywhere else.

2. Do not use a simple password. A simple password would be one that's only a few characters long and/or consist of simple words. Most hackers are not sitting in front of a computer typing in one password at a time. They have tools to automate it. So if your password is very short or consists of simple words, they can use a dictionary to guess your password. The best passwords are at least 10-12 characters long. Longer is even better. And it's good if it contains a mixture of letters and numbers. Even better if it contains letters, numbers and punctuation characters like $#@!%. Most passwords are case sensitive, which means mypassword is not the same as myPassWord. So mixing up the casing of the letters is another very good method to make your password hard to guess. The best passwords combine all of this into something called a pass phrase. A password implies a single word. A pass phrase is a combination of words.
So rather then having 'password' as your password, you would have 'this is my password' as your password, or pass phrase. And if you combine it with the other suggestions it might look like '@thiS is mY 1 passworD!'

3. Pick security question/answers only you know. Many websites ask you to set up security questions that you can answer if you ever forget your password, or login from a strange computer. These security questions can turn into security holes. If you pick a very simple question ' what is my favorite color' and pick an equally simple answer 'blue', it wont take very long for someone to guess your security answers. The best thing to do is to pick questions that only you would know the answer to. However, many sites don't allow you to type your own question, you have to pick one of their questions. And their questions are often questions that other people know the answer to. Like what school you went to, the name of your spouse, your first job etc. Those are all questions other people have the answers to and in many cases even strangers can find the answers to them by doing a little google searching. For example, if you have a linkedin account,  your first job AND what schools you attended might be listed there. Your spouse might be listed on facebook or another social site.

So if you can't type in your own question, you can always give an answer that has nothing to do with the question or is completely made up. For example, if it asked what school you went to, you might say Startfleet Academy (although in my case my friends could guess I'd pick that answer). Or make up an answer that's completely random. Instead of Starfleet Academy, you could say apple pie. You just have to remember the answer you give. The key is to make sure it's an answer know one but you knows and no one could figure out.

4. Don't type your password into strange computers. It's basically the same as catching an STD. You don't know who else used that computer or where it's been. That computer could have a virus on it and as soon as you type in your password, it's recorded it and sent it off to some nefarious hacker who now has access to your account. This applies even to your friends computer, unless you are sure they are practicing safe computing.

How can you tell if you were hacked/if a friend was hacked?

5. Don't click strange links. If you get an email from a friend that has a ton of people it was sent to and all the email contains is a strange looking link, chances are they were hacked. I would contact your friend other then through their email and ask them if they sent it. If they did not, have them read this post and then change their passwords. I said passwords, plural, because once someone has access to your email account, they could potentially gain access to your other online accounts since many of them have a forgot password feature that will email you instructions on how to change your password. So the hacker gains access to your email account and looks through your emails to find an email from your bank. They then go to your bank's website. The first thing they'll try doing is using your email password in case you used the same password for your email as for your bank. If that doesn't work, then they'll try the forgot password feature and within a minute they could have access to your bank account. I'm sure they'll enjoy spending your money.

6. You wake up one morning and suddenly find a bunch of returned messages in your email. This is a good sign your account may have been hacked. This could be because the hacker logged into your email and then sent out an email to EVERYONE you ever emailed before. Or at least everyone in your address book. Some of those emails might have gone to addresses that don't exist anymore, or might have been caught by spam filters. That's why you'll suddenly have a bunch of returned messages in your email.

Many email websites allow you to check and see all the places you logged in from. if so, take a look and see if there's a login from somewhere you've never been, or at time you know you weren't online. If you find a strange login or have an inbox full of returned messages, it's time to change your passwords and contact your friends and let them know not to click any links that were sent.


7. Use 2-step authentication. One of the features I like with gmail is something called 2 step authentication. It's basically using two passwords. You only are prompted for the 2nd password if you login from a new computer, or it's been 30 days since the last time you used the 2nd password.  If you have a smart phone, you download a small app to your phone and the app generates a new password for you every 30 seconds that you would type into your account the first time you log on from a new pc. That means even if a hacker gets your password, they still wont be able to log in because they wont have that random password generator. I still won't log in from a strange PC even with this if I can possibly avoid it. But at least if you do you know it'll still be almost impossible for them to get into your account. If you do login from a strange computer I would still change your password when you get home even with using the 2 step authentication.

I strongly encourage you to see if your email provider has 2-step authentication. If not, I would switch to someone who does.

1 comment:

Kate said...

Microsoft password tester