Is changing my password enough?

Changing your password is a common response to security breaches. Unfortunately, it may not be enough to recover.

I regularly hear from people who’ve had their email or other online account compromised, who somehow are able to recover access to it and change their password, only to have the account stolen almost immediately again.

The problem is actually quite simple, though the solution is a bit of work.

First, you have to realize that while someone else has access to your account they have access to everything related to that account.

Second, you have to realize that because of that, changing your password just isn’t enough.

You authenticate with most online systems by providing a user name and a password. Your username might well be publicly visible, but your password should be known only to you.

Most systems also provide a mechanism whereby you can recover or reset your password should you forget it. They use a variety of means, but they all boil down to the same thing: they use one or more additional pieces of information to validate that you are who you say you are, and then reset or reissue your password.

It’s those ‘additional pieces of information’ that present the greatest risk once your account has been compromised.

It’s those “additional pieces of information” that present the greatest risk once your account has been compromised.

Let’s look at some examples of what I mean, why they’re a risk, and what you should do about each in addition to changing your password.

  • Email address or alternate email address: Many if not most online accounts require your email address. In the case of an email account (like Hotmail, Gmail or the link) there’s often an “alternate” email address. Systems often provide the ability to send a password reset message to that email address of record should you lose your password. Since only you could have set it up, by definition that email address should be yours.Once your account has been compromised, a smart hacker will immediately go in and change that email address to one that he has access to. That way, if you request a password reset, he’ll get it, not you. Similarly, if you change the password, all the hacker has to do is request a password reset, and he’ll regain access to the account.

    What you should do: once you’ve regained access to your account, immediately verify that all email addresses associated with that account are yours. If they aren’t change them right away.

  • “Secret” questions and their answers: Many systems have you set up answers to questions as a second layer of security should you lose your password. The answers are typically to questions that only you should know such as your mother’s maiden name, your first pet or your favorite teacher. If you forget your password, many systems then simply ask you one or more of these questions, If your answer matches what you set up originally, then you must be who you say you are, and you’ll get your password reset and/or account access.I put “secret” in quotes because this is one of the problems with the technique: quite often the answers aren’t secret at all. It’s recently been shown that even a little browsing on social media sites of which you happen to be a member can often tell potential hackers a great deal about you, including many of the answers to these so-called secret questions.

    Once a hacker has access to your account, it’s not uncommon for the answers to your secret questions be visible to him. If he’s smart – and some are – one of the first things he’d do is jot down the answers to all your secret questions, or change them to his own. That way, should you regain access to the account and change the password, he can just invoke the password recovery mechanism and regain access himself.

    What you should do: once you’ve regained access to a hacked account, change all your secret answers immediately. Even if they’ve been untouched, the attacker could simply have written them down and know them all. Change them to something new – ideally answers that are completely unrelated to the questions, but that you’ll be able to remember in the future.

  • Mobile/Cellular information: Some providers allow you to specify your mobile number as part of your account information, and then can SMS or otherwise contact you via that information to perform password resets and more.By now you probably realize that once a hacker has access to your account they can change that number to be their own. Any mobile-based account recovery attempts are now redirected to the hacker.

    What you should do: as soon as you get back into your hacked account, change or remove this information.

  • Billing information: It’s rare, but some systems will use billing information, such as a credit card number already on file, or your billing address in account recovery and validation attempts.

    If you have this kind of information on file, a) a hacker can start using it, potentially racking up charges that you may, or may not be liable for, and b) a hacker can change it so that if it’s used for account recovery purposes it’s the hacker that that’ll regain access and not you.

    What you should do: change or remove this information as soon as you get your account back, and check with your credit card provider immediately for any improper charges.

By now you should see a distinct pattern: any and all information that can be used to recover your account should be validated, removed or changed the instant you get your account back. That includes personal information, PINs, secret questions and and answers, alternate email addresses and more – anything that the system you’re dealing with might use for account validation and recovery.

If you don’t, and the individual that hacked your account has even half a clue, it’s very possible that you could recover your account only to find it hacked again within hours or even minutes.

There are 41 comments:

  1. Tony M. Reply

    This may be the most valuable information regarding personal cyber security that I have ever seen. All the anti-virus programs and firewalls in the world will do little good if you’re blabbing your “secret” information to the world via social networking sites.

    This is precisely how Sarah Palin’s e-mail account was hacked. A malicious individual, seeing publicly-available details about her, was successfully able to provide the correct answers to the security questions Mrs. Palin used for one of her e-mail accounts. Through this vulnerability, the hacker obtained access to the governor’s personal e-mail.

    Thank you, Leo, for such thorough coverage of this personal security problem.

  2. MmeMoxie Reply

    I fully agree with Tony M. Leo, you are ‘right on’ with your information.

    Only one note, the good ISP’s will tell you to close down the ‘hacked’ account and create a complete new one. New user name, password, secret questions, the whole nine yards.

  3. Digby Lowe Reply

    The 2nd email address could be used to break the hacker’s stranglehold on the primary account if the primary mail provider were to automatically refer to the 2nd mail address all changes made to password and proposed changes to 2nd mail addess – i.e. effectively pass master control of the primary account to the 2nd account. Do I get a prize for that idea?!!

  4. Rick Reply

    A bigger problem is that the major webmail players have password recovery mechanisms that do not even rely of ‘secret’ questions, but rather a recollection or best guess of how you have used the service.

    For example, GMail’s Password Recovery page starts with, “If you’ve already tried to reset your password and you’re still unable to access your Google Account, fill out the form below. Please answer each question as thoroughly and accurately as possible; the strength of your answers will determine if we can return your account. If you’re not certain about some of the dates, provide your closest estimate.”

    The problem here is that a hacker gets to offer an alternate ‘alternative’ email address and answer a few questions about what other Google services the user might have used (along with estimates of dates) . . . and a few other tidbits that are not super difficult to work out. If the mix seems probable to Google they sent a reset email to the proferred alternate email address.

    In other words, if a hacker can work out what other Google services this user has and the approximate creation dates, he or she had a pretty good chance of taking control of the account.

  5. Evan B Merz Reply

    While I have had no difficulties in this area (knock on wood), I remain concerned. I check credit card charges at least twice a month and my credit card and debit card likewise, so I think I’m on top of this problem. Incidentally, my ISP has withheld emails because they are questionable and appear to be complete strangers to me.

  6. Ron Inabinet Reply

    I believe that my computer has been compromised to a degree. Several months ago,I don`t even remember when, I checked to see if I was the only name logged into my computer. To my amazement I was NOT the only person logged in. I kinda freaked and shut my computer down without writing down the “other” name.I have checked back often but found no one else logged in; this might be due to the fact that I have gotten a router.Just a couple of weeks ago I was going to log into my yahoo email account but I saw my computer password already typed into the space provided. I still get those stew-pid nigerian scams about money but, I always just delete them. I believe the unsolicitated emails of offers to view womens` private photos and chat sessions with unknown women,supposedly are nothing but hacking or spoofing scams. My yahoo email account hasn`t been hacked but I have suspicions that my computer is watched by parties unknown.

  7. craig Reply

    In regard to ‘secret’ questions; if you have a set question there are limited ‘truthful’ answers. Try using one or two universal answers for all secret questions on all your web-based security. Like, Mothers maiden name? Venus, or blue whale, or Mitsubishi, or River Phoenix, and First pet you had? River Phoenix, Mitsubishi… etc.
    This makes guessing the answers nearly impossible and we’ve now made the answers endless, rather than the limited truthfull stock – AND it makes ur answers easy to remember IF you stick to the same ones all the time.
    FYI – Some profile setting areas in some web sites will show you your ‘secret answers’ which make the secret viod if you account is hacked.

  8. kate Reply

    Leo, I have read a few of your articles. I have had the ‘free email – hotmail problem’ where my hotmail is sending spam email (always the same email, copied below – hope that’s ok… but the link is in it). I have changed my password. I have tried to contact hotmail on windows help, but no reply. http://windowslivehelp.com/thread.aspx?postid=7B1464C2-0DA5-4A0B-85A3-C6BF19B4DF4A#7B1464C2-0DA5-4A0B-85A3-C6BF19B4DF4A.
    I have used my hotmail account for some time and would hate to give it up and lose touch. Do I have any choice but to close it? I can’t seem to get any help from hotmail / answers on the windows forum.
    Thank you for your good articles and links to more of your articles… I found it good to know that really there isn’t much I can do… but I thought I would ask: Is there anyway to report this email to an authority?
    Thanks.
    SPAM email below

    Hi,my friend,
    I find a good website,I would like to introduce it to you It will give you big surprise:excellent products,high quality competitive price.If you are free, please visit it: [link removed] have a nice day! ~–b

    As the article you’re commenting on states, changing your password is not enough. If you can cover everything else outlined, and have attempted to get help at the support forum, then I know of nothing else left for you to do.

    Leo
    26-Mar-2010

  9. Faith Reply

    Thank you so much for this. My gmail account was hacked just this morning, and although I logged the hacker out and changed my password to a much stronger one, I hadn’t thought about any of these other possibilities until I read this article, and I’m so glad I did.

  10. Jennifer Wolford Reply

    I have always added a contact to my e-mail contact lists. I add: aaaaaaaaaaaaa@aa.com
    Since this does not exsist, and will be the first email address to be used (alphabetically) anytime mail is sent from me (bulk, all included) I get a notice that it could not be delivered to that account. Since I know I would not have sent to that contact, I know something is wront.

    The usefulness of that approach (having a bogus address early on in the address book) has been highly overrated. I wouldn’t bother.

    Leo
    07-May-2010

  11. Cassie Reply

    I had to go to the “site permissions” page on my AOL account and found there were three sites I had “given permission” to access my account, I deleted them all and changed password and security question. Hope this does it. I was unaware there was a site permissions page.

  12. HESHAM KHATTAB Reply

    TODAY ONE STEAL MY EMAIL AND ASK ALL MY CONTACT LIST TO SEND MONEY TO ME IN LONDON I AM AT HOME IN EGYPT IHAVE CHANGED MY PASSWORD DO YOU NEED DETAILS TO FOLLOW .YESTERDAY I HAVE RECEIVED EMAIL FROM YOU ASKING INFORMATION AND PASSWORD IT IS FROM YOU ??DO YOU NEED COPY GIVE ME YOUR EMAIL TO SEND .HESHAM KHATTAB

  13. Christy Reply

    I just read your article and found it incredibly helpful! I changed my password, changed my secret question answer to one that is hopefully hard to guess and checked all of my other information. Thankfully I started this email address when I was 17 and was too busy to add a lot of info on the account page so all it really has is my email address that they already know, my secret question and that I live in the USA. My question is: do you think that since there isn’t really any other information on there and I changed what was on there, should I be safe now or should I do something else? I really hate to have to change my email address, I’ve had it for ten years and everyone knows it :/

  14. Jennifer Reply

    This was helpful and to let everyone know what to do,Thanks,Jennifer B.

  15. dennis isaacs Reply

    I’ve changed my email password and security question answer to something that is not recognizable. I also also deleted my alternate email. Ads are still being sent to my contacts. What else can I do?

    Thank you

  16. BatMan Reply

    Quick Side Note: do a Google/Bing/Yahoo Search for your Email Address. If any Results POP up with your address… then its guaranteed that SPAMMERS already have your address, and have been causing mischief.

    Okay, Moving on:
    If you are being Blamed for SPAM’ing People who you do NOT know, and by people that you have NEVER emailed before (aka, ‘Strangers’)…. then its probably NOT you. Your account was ‘probably’ Never compromised.

    However, If you are being Blamed for SPAM’ing People who you Do know, and by people who you DO email (aka, ‘Your Friends’)… then your account COULD be compromised.
    In fact, if almost Everyone who complains is one of your ‘Friends’; and they ALL say the Spam came from you, then take it as a Higher & Higher probability it’s Your Account thats the source.

    Most likely, Your Email account Was hacked at some point in the Past, the hacker exported out your entire AddressBook; and has now finally begun Spamming all your addressbook-friends.
    ****
    Important Note: 10 years ago, the spam came directly from your friend’s infected windows pc. once he cleaned the infection, the spamming stopped.
    However, this SPAM 2.0 has a new TWIST: the spam is being delivered via someone’s open-relay-server. removing the infection on your friend’s windows pc will NOT stop the Spam from the Relay server.
    ***

    Let me Over-simplify with this quick analogy:
    It is the equivalent to ‘Me’ Crashing ‘Your’ Wedding, then Copying down All the Names & Addresses of everyone who signed ‘your’ GuestBook, then ‘me’ quietly sneaking out the back door… and then 2 weeks later i start phoning all ‘your’ Guests asking them to buy this magic Viagra medicine… but i pretend to be YOU on the Phone!!!

    if you can Grasp this Analogy… then now you Understand the full problem.

    EVERYBODY who signed the Guestbook loses in this scenario. You ‘could’ Close out your email account and go get a New one (Change teh locks on your doors, change your phone#, and/or move to a new House); but the SPAMMER (me) still has the contact info of ALL your Friends… So they are STILL going to get annoying phone calls from Me.
    Thus, no real escape for your friends… Unless they ALL Change their Phone #’s and move to new houses as well (Highly unlikely).

    But even if they Did… as soon as i Crash the Next Wedding… the cycle will Start over again!!

    Best Solution:
    Go get a Drink!

  17. Michael Horowitz Reply

    There is yet another problem.

    A bad guy could set up a forwarding rule such that all your email is forwarded to him. No need for passwords after that. You still get your email and the bad guy never needs to logon to your account again, after the first time.

    Probably a good idea, after a webmail password is stolen, to review ALL the account settings.

    This is one thing, at least, that Hotmail is good at – if a forwarding rule has been set there’s a big notification at the top of your inbox that tells you so. I’m sure that varies from provider to provider. Next time I update this article I’ll include your point – thanks.

    Leo
    20-Dec-2010

  18. Elle Reply

    One little trick I read about: in case you have been compromised, and there is a change that a key logger has been installed on your computer. Changing your passwords might be pointless since all your key strokes are being watched.

    A temporary way around this a the Ease of Access On Screen Keyboard (don’t know if Macs have this). From what I understand, clicking the keys via your mouse doesn’t get recorded on the key logger.

    I’ve recently changed all my passwords because my social network account was comprised. I changed my security questions and answers to something you wouldn’t know just from looking around my Facebook account.

    I’m probably going to reformat my computer anyway, just to be safe. Its annoying, sure, but I’d feel better knowing I’ve wiped my computer of anything my Norton probably missed. Good thing I have back ups.

    That approach is not guaranteed to bypass keyloggers. Please read this article: Is there a way to bypass keyloggers?

    Leo
    28-Feb-2011

  19. Ellen Reply

    Your articles were THE best of any I was able to find on the web. Most other sources did not provide enough details on what to look for to understand what the hacker actually did. You laid out the nuances of the way an account can be hacked and the signs to look for to tell what they actually did..like do you have emails sent by the hacker in your sent box or not. Very helpful. THANKS!

  20. Kathleen Simmons Reply

    Will it do any good to change my EMail address
    and password?

    Depends on the situation. No idea since I have no idea what your situation is.

    Leo
    16-Apr-2011
  21. Chris Reply

    So, there’s nothing that can be done if someone has copied all of your email addresses and you have already changed your password and secret answer many times?

  22. Glen Reply

    I am more worried that my friends are getting spam from “me.” If I totally change my email address, delete the old one, will the spam continue?

    It depends on how they’re getting spam “from” you. If your account has been hacked, the only thing to “stop” it is to regain access to the account. Even then the hackers may not stop as they’ll have your friend’s addresses. If the spam is not from your account directly, but simply shows you as a spoofed sender, then there’s nothing you can do.

    Leo
    01-Jul-2011

  23. Rebecca Reply

    My account has been hacked and all of my contacts have been sent a link to a webpage. However of the things you suggested to look for nothing appears to have been changed (i.e. mobile number, back up email) i have changed my password and security question but am doubtful of how much this will help so was wondering if there was anything else you would suggest? My iphone is also linked to my account so i dont know if this could be the problem?

    Hackers often don’t change anything so that people aren’t quite as quick to notice that their account has been hacked. You need to change anything and everything that the hacker might use to force a password reset.

    Leo
    05-Aug-2011

  24. Andrew Reply

    I just found out my family account was hacked (the “want more pleasure?” link was sent to some of our contacts.) The thing is….does it for sure mean some person in another place was sitting there, going through our account? it’s our head account, which is connected to your ATT account, which lists our address and phone number. Should I panic?

    Quite possibly yes – someone somewhere was logged into the account going through it. I’m not sure what “connected to your ATT account” might mean, but ultimately you must assume someone was able to login to your account as you.

    Leo
    05-Sep-2011

  25. Reva Reply

    A few months ago my husband had the same problem. We ended up deleting that email and giving him a new one. We had no more problems, until a couple days ago when my att yahoo mail became compromised. I really need to keep this email address. So I am trying to stop this by changing things such as password, a new sign in key, and changing anything in the options on my account that may have allowed this compromise. Then I discovered it would not allow me to access my contacts. I’m still working on that….

  26. Meenakshi Sharma Reply

    Of late my contacts are getting emails from me about weird stuff that I never send them.I have changed my password and all security questions.Is there anything else I need to do? Is my account information safe? Will I have to make a new account?

  27. bess Reply

    how can i change the alternative e-mail, who is not mine, my e-mail has been hacked and there is another alternative e-mail. Please tell me how to change it, because when i want to change, the e-mail goes to that another alternative e-mail.

  28. Mark J Reply

    @Bess
    If your email has been hacked and the password and alternative email had already been changed, then it may be too late to recover your email account.

  29. Gemma Busto Reply

    thank you very much. i hope it would help me not to be hacked again.

  30. Diane Reply

    someone told me only PCs get hacked. Apples don’t. Is that true?

    Accounts are getting hacked at an alarming rate, and that’s completely independant of what type of computer you use. Mac’s can get hacked, but it’s much less common.

    Leo
    02-Mar-2012
  31. connie Reply

    @Diane,
    It’s not so much that Apples aren’t hackable, as that there is so many more PC’s. So hackers concentrate their energies on the easy pickin’s

  32. Judy Reply

    I’ve changed my password, and there is no additional hacker activity on my account. Now I would like to change the other items – phone no, secret question, etc. However, the alternate email address I gave three years ago is no longer active. Is there a way to get hotmail to let me change the other info?

  33. Suzanne Reply

    I have two hotmail accounts. I can’t sign out of either. It tells me to erase all cookies. I have it set up so I have to sign in each time. Not sure what to do. My address book was hacked and porn emails went out to all my contacts. I did all of the above, but actually there wasn’t much to do. No secret questions or alternate email addresses. I just have this haunting feeling it’s open all the time.

  34. Lew Reply

    My email address starting sending out spam today. (The culprits may have waited deliberately till April fools day for this.) It sent out an email to a number of recipients from my contacts list. I only discovered it by accident because one of these addresses is now defunct. The email bounced back, showing me the list of recipients.

    So here’s an idea TO LET YOU KNOW pretty quickly if your address is sending spam. Enter a dummy fake email into your contacts list. Then it will be sure to bounce back, letting you know within good time of unauthorized activity.

  35. Wesley Reply

    My email has added over 1500 friends in the past week, and an incredible amount of spam has been entering and leaving my account. I’ve followed the necessary steps of changing my password and other important information like it says above, but is there a way to easily delete all the spam and unwanted friends from my email? The spam, I hope now that I have changed my password and such, will stop, but is there a way to just delete all the emails listed as friends? I use hotmail, but it limits me to just deleting 25 per page.

  36. cris32 Reply

    Someone used my wife’s email address, her name and telephone number to schedule a medical appointment. Is this an identity theft?

    No idea. You should probably talk to the authorities.

    Leo
    22-May-2012

  37. sympatica Reply

    This is great info. My account has only been hacked by someone entering an event in my calendar and changing the name of a contact –actually my daughter. I have changed my password and security question and worked through other things on this list. How will I know if the hacker still has access?

  38. norman Reply

    i forgot pasword and may yahoo are block because one person hack may acount please help me..

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise an comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.