Your friends are reporting spam and pleas for money originating from your email account and some of your logins aren’t working; you’ve been compromised. Read on to see what to do right now and how to protect yourself in the future.
A compromised password is serious business. A security breach at a minor service you use can jeopardize your more serious accounts if you use weak passwords (or even the same one) across all of them and a security breach at a core service like your email account means it is time to batten the hatches and get your passwords under control.
This guide is full of useful tips for anyone who has to deal with the fall out of leaked password but we’ll be focusing specifically on dealing with the mother of all compromises: a compromised email account. Once someone has control of your email account they can easily gain control of the dozens of other services you use as, for better or worse, email functions as a major key-to-the-castle and qualifying identifier.
Secure Your Email Account
The absolute first thing you need to do at even the slightest hint that something is amiss is to lock down your account. The second your friend calls you and says “I just got an email from you claiming you’re in London and need me to wire you money” you need to get on your computer and get to work.
Resetting/recovering your password. You may need to reset or recover your password. The process varies from email service to email service but we’ve gathered up the reset links for three popular email services here to help speed the process along if you’ve found this article via a panicked Google search. You can find the forms for Gmail, Hotmail, and Yahoo! Mail here. All three of the aforementioned services have an option for you to specify not just that you forgot your password but that you believe your account has been compromised.
Change your password to something completely different than your previous password. Make it a combination of alphanumeric characters and if need be temporarily write it down. The important thing is that you secure your email immediately with a strong password. While you are still logged into your email account complete the following steps.
Enable two-factor authentication. Although your email service may not offer this feature, if it does turn it on. You likely won’t keep it on forever (two-factor verification is kind of a hassle) but while you’re in lock-down mode and attempting to get everything under control it’s nice to know that someone would need to, for example, have access to your mobile phone and your password in order to gain access to your email account. You can read about two-factor authentication for Gmail here.
Go through your email settings with a fine tooth comb. In addition to changing your password and setting up two-factor authentication you need to go through the settings on your email account to make sure nothing is out of the ordinary. Here are several things you need to look at: check your recovery email and ensure that it is set to an email address you control, check your password hints and replace them with fresh questions only you know the answer to, check your email forwarding settings to ensure that however compromised your email hasn’t set it up so that all your future email will be forwarded to a 3rd party.
Regarding password hints: password recovery systems based on hints are notoriously easy to defeat as it isn’t particularly difficult to get basic information about a person like where they were born, what their cat’s name is, etc. (thank you frivolous Facebook quizzes). One easy way to radically increase the strength of hint questions is to make them about someone other than yourself. Answer the questions as though you are your father, a character in a comic book or novel you love, or any other third party that you have a significant degree of knowledge about.
Don’t neglect these three steps and make sure to look at all the settings on your email account to make sure there are no surprises tucked away!
Change Every Password Associated with Your Email Address
Email addresses function as the proverbial keys to the castle. If someone has access to your email account they also have access to nearly everything else you’ve ever used your email account for—your iTunes login, your Amazon.com account, your credit cards and banking institutions, social media accounts, discussion forums and so on. Now is the time to start changing passwords. We realize this isn’t fun and we realize it’s time consuming if you have lots and lots of accounts. The upside is that once you do it, you’ll have effectively inoculated yourself against this misery in the future.
Get a password manager. Not everyone uses a password manager and lots of people have their reasons for not doing so including “I’ve got a good memory”, “I don’t trust password managers”, “I’ve got some straight up KGB algorithm in my brain to generate new and awesome passwords”, etc. We’ve heard it all before. If you want to play the “I’ll memorize all my passwords” game, that’s fine. You simply won’t have as strong and varied passwords as someone who uses a password manager. Not using a password manager is like refusing to use a calculator and solving all math problems long hand; there’s no good reason to forgo using a calculator and there’s no good reason to stick to juggling passwords in your head when there are better alternatives.
Whether you use LastPass, KeePass, or another respectable password manager that integrates with your web browser (and thus decreases your resistance to using it), you’ll have a system that allows you to use extremely strong and unique passwords for each distinct login.
Search your email for registration reminders. It won’t be hard to remember your frequently used logins like Facebook and your bank but there are likely dozens of outlaying services that you may not even remember that you use your email to log into.
Use keyword searches like “welcome to”, “reset”, “recovery”, “verify”, “password”, “username”, “login”, “account” and combinations there of like “reset password” or “verify account”. Again, we know this is a hassle but once you’ve done this with a password manager at your side you have a master list of all your account and you’ll never have to this keyword hunt again.
Use strong passwords. If you’re using a good password manager this won’t even be an issue. LastPass, for example, has a built in password generator. A click of a button is all that it takes to generate a password like “Myy0vNncg6dlYrbhVjo1”; add in another click and you can easily associate that extremely strong password with the account.
If you’re not using a password manager there are still some hard and fast rules you should live by when it comes to manually generating strong passwords:
- Passwords should always be longer than the minimum the service allows for. If the service in question allows for 6-20 character passwords go for the longest password you can remember.
- Do not use dictionary words as part of your password. Your password should never be so simple that a cursory scan with a dictionary file would reveal it. Never include your name, part of the login or email, or other easily identifiable items like your company name or street name. Also avoid using common keyboard combinations like “qwerty” or “asdf” as part of your password.
- Use passphrases instead of passwords. If you’re not using a password manager to remember really random passwords (yes, we realize we’re really harping on the idea of using a password manager) then you can remember stronger passwords by turning them into passphrases. For your Amazon account, for example, you could create the easily remember passphrase “I love to read books” and then crunch that into a password like “!luv2ReadBkz”. It’s easy to remember and it’s fairly strong.
Practice Good Password Hygiene Going Forward
It’s really easy to slip back into bad habits once the shock of security breach has passed. Call it the dentist-effect: you floss and brush like mad before the dentist, you promise yourself you’ll floss and brush after the visit, and three weeks later you find yourself falling asleep on the couch watching Archer with a mouthful of gummy bears.
Staying on top of password management is important and when done correctly protects you from the agony of having to do all this password fixing again (or, worse, losing significant sums of money or becoming embroiled in a legal battle because of what was done with your compromised account). Here’s what you need to do going forward with your old and new accounts:
Always use a unique password for each service. Think of this policy like having fire suppression systems in every room of a building. If Lab 223 catches fire it doesn’t take the whole structure with it. If someone hacks a game site you visit they won’t also have access to your email (or any other logins associated with your email address).
Change your passwords. Don’t be resistant to changing your passwords. If you use your email a lot at public Wi-Fi spots, internet cafes, etc. then you need to change it frequently as you are using it in locations where it can be easily sniffed, key logged, or otherwise compromised. If you use a master password manager this process is less painless as you really only need to remember a strong password for the password manager and a strong password for your email (everything else can be managed by the password manager).
Do not store your passwords insecurely. However you store your passwords, do not store them insecurely. If you write them down on a notebook lock it in your firesafe. If you keep them in a password manager, use a very secure password for that manager. If you keep them on your computer in a text document then you must encrypt that text document and not simply leave it in your My Documents folder. Your password list, however it is stored, is the passport to your digital life.
Do not transmit passwords insecurely. This is a combination of the previous rule and the next rule. Do not email yourself a plain text file of your passwords. It’s the equivalent of writing your passwords on a postcard and mailing them. Anyone who touches the postcard in transit can easily read the passwords. Never email or instant message your passwords for any reason.
Do not share your password. As well as not sharing your password between services don’t share your passwords with other people. Your friends don’t need to know your passsword, your boss doesn’t need to know your password, no legitimate company employee from Google or Bank of America is ever going to call you up or email you and ask for your password. Your default stance on password sharing should always be “No.”
At this point, if you’ve followed along, you have a set of unique, strong, and well managed passwords. You have one final task. Pull up your contact list and send an email to all the people who you previously spammed with “Help, I’m stuck in London and have no money…” messages and email them a link to this article. There’s a good chance that, like you were, they’re one bad break away from a password nightmare.
Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on Google+ if you'd like.
- Published 06/14/11