Password Security

The other day my dad was telling me a story about a friend of his whose email address had been compromised, sending out spam emails. He asked me how this would happen and what you could do to prevent it, and I thought it was worth writing down so I could refer other people to it.

Full disclaimer: I am by no means a security expert. These are some of the things that I have seen and some of the steps that I have taken to secure my own account. There might be better things out there, but I feel that this is a pretty good place to start.

If a hacker gets your password, they absolutely can take over your email account. This would give them full access to your contacts list, allowing them to send malicious email on your behalf to everyone that you know. If you’re on the receiving end, you’re more likely to open an email from someone that you correspond with regularly (or, at least know).
There are a few ways that a hacker could obtain access to your account:

1. They guessed your password. This could be the case if you used something for your password, like your birthday or a pet’s name.
   • I would think that something like this would be unlikely unless the person is a “high profile” target, like a celebrity or some kind of public figure, or if the hacker personally knows the target. For us “average Joes”, the amount of effort it would take to do something like this would probably not be worth it.
   • The best way to prevent this is by having a strong password. https://howsecureismypassword.net/ is an interesting site that allows you to type in potential passwords and see how strong they are. Of course, as it says on the page, you should be careful where you type your real passwords.

2. They were able to reset your password using the email provider’s “I forgot my password” feature. Normally this would involve answering questions like “mother’s maiden name”, which would be obtainable if you looked hard enough.
   • Most reputable email service providers (Google GMail, Microsoft MSN/Hotmail/Outlook) have gotten smarter with this, allowing you to pick your own questions so that you’re answering something that is a matter of opinion, such as “Ideal vacation destination” which would be much harder to guess or research. Again, something like this would be unlikely unless the hacker knows you personally or you are a high profile target.
   • The best way to prevent this is by choosing security questions that you know the answers to but aren’t widely known by others.

3. They obtained your email address and password from a different compromised site.
   • Ideally, you should never use the same password twice. However, without the use of a password manager like LastPass, having a different password for every single site that asks you to create an account is downright impossible. Most of the time, you set up an account with an email address and a password. If a site uses improper security (storing your passwords in clear text – that is, they aren’t encrypted), a hacker could obtain a juicy list of email addresses and passwords. All a hacker would have to do then is go through the list of email addresses and attempt to log in using the password they have. If you use the same password for that compromised site and your email, you’re toast. Think of it like leaving the key to your front door taped to a note with your address on it in an unlocked back room at a store — all a burglar has to do is go to your house and they’re in!
   • The best way to prevent this is by having a completely unique password for everything you connect to. Products like LastPass and 1Password help you do this by having one “master password” that allows you to access all of your other passwords. Since you don’t have to remember all of your passwords, they can be randomly generated, making them nearly impossible to be guessed or cracked. However, you have to make your master password complex enough to avoid being guessed or cracked, and you must remember your master password (because services like LastPass do NOT store it or have a way of recovering it if you forget — this is one of the reasons they are more secure)

4. They obtained your password via a phishing attack.
   • A phishing attack is where a hacker sends a fake email to you impersonating a company. Inside of the email, there might be a link asking you to “log in” to accomplish some task, but, when you click on it, it takes you to a hacker’s website, where, if you put in your password there, you’re just giving it to them willingly. Or they might send you an email asking you to reply with your password.
   • The best way to prevent this is by being vigilant. Reputable companies will NEVER ask you to provide your password over email, and, if they are asking you to log in to accomplish some task, the best way would be to manually go to their website to log in so that you know for sure that you’re going to a legitimate site. A lot of phishing attacks have poor grammar or spelling (due to being sent from countries where your language is not their native language), so being vigilant and noticing something like that can save you a lot of time.

Two-Factor Authentication

If you’re really concerned with security, one of the best ways to secure your email is by adding two-factor authentication. This will attach your account to a security service that will provide you with an 8 digit number to put in every time you authenticate. The code changes every 30 seconds, so you need to have either an app (such as Google Authenticator for Android and iOS) or a keyfob in order to get the number. By doing this, even if a hacker managed to get your password, they would still need that 8 digit code. A lot of companies support two factor authentication, including LastPass, Google, Twitter, and Microsoft. The downside, of course, is that every time you log in to a service where you’ve enabled two-factor authentication, you have to put in your code. However, the extra peace of mind might be worth it.