Steps you can take now to prevent issues later.
I don’t get this question a lot, but I really wish I did. What I get instead, repeatedly, is “I’ve been hacked, please recover my account/password for me!” (Which, for the record, I cannot do, no matter how often or how nicely, or not so nicely, I’m asked.)
The only salvation is prevention, and this applies to email, social media, and pretty much any online account you have.
What can you do to make sure your account doesn’t get hacked in the first place?
Become a Patron of Ask Leo! and go ad-free!
Preventing account hacks
To secure your account from hacking:
- Select a good password.
- Protect your password.
- Set and protect your “secret answers”.
- Set (and maintain!) an alternate email address(es).
- Set (and maintain!) mobile or other telephone number(s).
- Enable two-factor authentication.
- Use other provider-specific techniques when available.
- Use a different password on every site.
- Use a password vault.
- Be skeptical.
- Remember that free services have little to no support.
- Learn from your mistakes if it ever happens to you.
1: Select a good password
You’d be shocked at how easy many passwords are to guess. Your pet’s name, your pet’s name spelled backwards, your favorite TV character’s catchphrase, your boyfriend or girlfriend’s name (or “ilove” followed by that name), and so on.
If you think people can’t guess it, you are wrong. They can and will.
“iLoveMikey” is a bad password. “j77AB#qC@^5FT9Da” is a great password. You can see the problem, though: great passwords are hard to remember.
So compromise.
- Avoid single or pairs of full English words or names unless you make a longer passphrase of at least three and preferably four or more words.
- Include a mix of uppercase and lowercase letters and numbers.
- Make sure the password is at least 12 characters long, and ideally 16 or longer, if supported.
“Macintosh” is bad. “Mac7T0shB00k” (based on the easy-to-remember “Macintosh Book”) might be good. “HondaPrelude” is bad, but “SilbrPre7ood6” (based on “Silver Prelude 6”) might be ok.
Bottom line: pick a random-looking password YOU can remember but THEY would never guess… and assume that THEY are always really great guessers.
For more, see: What’s a Good Password?
2: Protect your password
A scenario I see much too often starts with “I thought I could trust my boyfriend/girlfriend/husband/wife/co-worker, so I gave them my password. Then we had an argument.”
How much damage can someone do if they’re angry with you and they have the password to your account? A lot.
It’s simple: Trust no one. I’m serious about this. Your friends are your friends until one day they’re not. Naturally, there are exceptions, but if there’s the least bit of doubt, don’t reveal your password. Especially if someone is pressuring you to do so.
For more, see: The Biggest Risk to Your Privacy.
3: Set and protect your “secret answers”
It’s fallen out of favor as not being particularly secure, but many systems still use a “secret question” and its answer as the key to account recovery or password reset. The problem is, many people choose secret answers nearly anyone can guess or easily find out.
However, there’s nothing that says your answer has to correspond to the question. Instead, pick an answer that is unrelated to the question. Perhaps your city of birth should be Crayola, Chardonnay, or WindowsExplorer. Treat secret answers like another password. Make it long, obscure, completely unrelated to the “question”, and impossible for someone else to guess.
As long as you can remember it when needed, it doesn’t matter what it is.
For more, see: How to Choose Good Security Questions.
4: Set (and maintain!) alternate email address(es)
Many services use one or more alternate email addresses to mail you a password recovery link if you forget yours. You must set this up before you need it.
First, make sure to configure that option using an email account on a different system. Create and use a Yahoo account for your Outlook.com alternate email, for example.
Second: don’t lose the alternate account. For many systems, if you can’t access that alternate email account, you cannot get your password back, and you will not be able to recover your primary account. Remember to log into that alternate account every so often to keep it from being shut down for inactivity.
I’ve seen too many cases where people lose their alternate email address or let the account lapse and then find themselves totally out of luck when they really need it to recover their primary account.
For more, see: Please Set Up and Maintain Account Recovery Information.
5: Set (and maintain!) mobile or other telephone number(s)
This is very similar to an alternate email address, and can be used in place of one if you’ve configured it beforehand. Once again, you must set this up before you need it.1
If you can’t access your account, the service will text you a recovery code. If you don’t text or have a text-capable phone, some can call you with an automated voice recording of the recovery code. You then enter the code, proving you have access to the phone number that was previously configured as belonging to that account, and regain access.
Keep this number up to date! I regularly hear from people who’ve lost access to their accounts permanently because the phone number they originally configured is no longer theirs.
Also, keep in mind that this number must be able to reach you where you are, and may even be triggered as an additional security measure if you travel outside of your normal area. If that’s not possible, configure some other form of security, such as the alternate email mentioned above, or other techniques offered by your service provider.
For more, see: A One Step Way to Lose Your Account … Forever.
6: Enable two-factor authentication
Two-factor (or “multi-factor”) authentication is the current holy grail when it comes to account security. With two-factor properly enabled, hackers cannot get into your account even if they know the password.
The second factor that proves you are who you say you are is typically either:
- A mobile app that provides a random number on demand that you must provide when you log in
- A text message sent to a phone number you configure when you set up the account, which you then also enter at login
Once logged in, you can disable this requirement on machines you use frequently. Hackers are not able to provide the second factor, so they can’t get in.
For more, see: Two-Factor Authentication Keeps the Hackers Out.
7: Other provider-specific techniques
Some providers have additional recovery techniques. For example, you can create a recovery code for your Microsoft account that you save somewhere safe and use to recover your account.
Look for options like these or others within the services you use regularly.
And remember, you must set them up before you need them.
For more, see: Recover Your Microsoft Account Later by Setting Up a Recovery Code NOW.
8: Use a different password on every site
I’ve written about this extensively: it’s important to use different passwords on each of your important sites.
The reason is simple: if a hacker manages to discover your password on one account, they will go try your username and password, or email and password, on a multitude of other services. If you used the same password on another service they happen to try, that account will quickly be hacked as well.
Password managers like 1Password, RoboForm, and others are excellent ways to maintain multiple, complex passwords for multiple sites without needing to remember them yourself.
For more, see: Why Is It Important to Have Different Passwords on Different Accounts?
9: Use a password manager
I realize that “hard to guess” is at odds with “easy to remember” and both are at odds with not re-using passwords.
That’s where password managers (also called vaults or safes) come in.
If you forget your password, or you forget the answer to your secret question, or lose access to your alternate email account, or somehow lose the ability to use any of the password recovery mechanisms provided by the service, well, to put it bluntly, you are SOL: severely out of luck.
Don’t forget your own password. Don’t forget the answer to your own secret question(s). If you must write your information down, keep it in a secure place. A sticky note on your monitor under your mouse pad or other easy-to-get-to place is not secure. Your wallet might be secure. A locked cabinet or safe might be secure. A properly encrypted file on your computer might be secure.
But remembering this information securely is exactly what password managers are designed to do for you.
For more, see: Are Password Managers Safe?
10: Be skeptical
You should never be asked to email anyone your password.
EVER.
There are some very common phishing attempts that threaten you with account closure unless you respond to the email with information about your account (like your login name and password). Those emails are bogus. Mark them as spam and ignore them. Any email that requires you to respond with any information that includes your password is almost certainly a phishing scam.
Similarly, many phishing scams attempt to get you to click on a link to do something important relating to your account. Instead of taking you to the service, they take you to a fake page that looks like the service, but instead is a page designed to capture your username and password when you try to log in. If you have any doubt, don’t click the link in the email. Instead, go to the service in question yourself, using your web browser. If there’s something important, it’ll almost certainly be presented there.
For more, see: Phishing: How to Know It When You See It.
11: Remember that free services have little to no support
The vast majority of the account hacks I hear of — the hacks where people are ultimately unable to recover their accounts — involve free services with little to no support.
There may be a knowledge base or a peer-to-peer support forum, but there is rarely someone to email and almost never someone to call.
You are responsible for your own account security.
It’s often true, and certainly safest to assume, that no one will help you should something go wrong. That means it’s up to you to take the preventative measures I’ve outlined as well as keep your information up to date as things change.
For more, see: Are Free Email Services Worth It?
12: Do this: Learn from your mistakes
Finally, if you realize that:
- The answers to your secret questions are obvious, or
- You no longer have access to your alternate email address or never set one up, or
- You no longer have access to your old mobile number or never set one up, or
- Your passwords are short and just plain lame, and you use the same one everywhere…
Fix it NOW! Before it’s too late.
Trust me: if you get hacked and it’s for one of those reasons, or you lose access to your hacked account because you didn’t bother to prepare, you’ll kick yourself.
And you may very well lose access to that account and all its data forever.
Podcast audio
Footnotes & References
1: I often hear from folks who are concerned that providing a phone number is just another way to track you. I don’t buy into that conspiracy theory. Providing a phone number is all about being able to prove you are the rightful account owner should you ever lose access to the account.
Regarding answers to secret questions, item #3 on the list.
This is another thing that password managers come in handy to keep track of. I know that at least two, LastPass and Bitwarden, have the capability of adding notes to passcards. When setting up the user name and password in the password manager, if the site uses secret questions then add the question and answer in a note for that passcard.
I’ve done this for all the sites that use secret questions. Existing sites generally have the option to edit the questions and answers, so if one is just beginning to use a password manager, they can add the info. The real advantage is that one can have outlandish answers that I would consider impossible to guess. And, there have been many times I’ve had to refer to the notes to remember what I’d entered as the answer.
Hi Leo, what a great article… love it and is something I been looking for and needed for a long time now. This allows me to get to work on increasing my protection right now with some of these added features of protection… thanks.
I see where you suggest the free versions are not good for support? I am thinking in many cases thats true, but in my case with Lastpass, it is so simple to use and caters for just about all you will ever need (except a hack of course like recently lol) so I am wondering if I will ever need support after using LP for 10 years now trouble free. It was actually your advice many years ago that I started using it. My main point is, now that I have mastered LP, and using a 30 digit/letter/sign master password which lives in only my own head, and is virtually impossible to crack in my lifetime at least, then I feel safe using this free version. How you feel about that?
And the other question is… I had so much trouble upgrading to win10 four years ago, even with MS taking over my computer, that I was forced to either trash my 2 year old Gigabyte laptop, or switch to Linux XFCE. I chose the latter and never looked back. Would you think using Linux has increased or decreased my security? Please dont feel obliged to answer the last question as I know your forte’ is MS.
Thanks so much and keep up the great work… Mike
Leo:
My friend has a good (??) and I’m thinking about it. He has a nondescript named spreadsheet in a directory deep in a tree of folders, That ss has all his sites/userids/pws/helpful hints. He has great pws and can ctrl C (on ss)/ctrl V(on the site) so he doesn’t have to memorize much at all. I’m thinking of doing that but storing it in the cloud also perhaps using boxcrypt and/or say onedrive extra secure folder.
One thing I do is use pw phrases that I know/like. eg: “$$A moat it is to trouble the mind’s eye$$!” from Shakespeare, but am I fooling myself that this is a very strong pw??
Mel
That spreadsheet should work fine but it seems like a lot of work when a password manager would do it all in one click. As for that password, it might be ok, but I’d feel safer with a string of unrelated words like “$$correcthorsebatterystaple##” (with or without spaces depending on whether that program or website allows spaces). Of course use different words but that shouldn’t be hard to memorize.