10 steps to keep from getting your account hacked

Judging from the questions I receive, hacking accounts seems like a common occurrence. Here are the steps you need to take to prevent losing your account - forever - to a hacker.

My account has been hacked into several times. If I’m able to recover it, it just gets hacked again. Sometimes I can’t recover it, and I have to start all over with a new account. What can I do to stop this all from happening?

I don’t get this question a lot. But I really, really wish I did. (What I get over and over and over again is the related “I’ve been hacked, please recover my account/password for me!” (Which, for the record I cannot do, no matter how often, or how nicely I’m asked.)

The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.

So what can you do to make sure your account doesn’t get hacked into in the first place?

1: Select a good password

I’m sure you’d be shocked at how easy many passwords are to guess. Your pet’s name, your pet’s name spelled backwards, your favorite TV character’s catch phrase, your boyfriend or girlfriend’s name (or “ilove” followed by that name), and so on.

If you think people can’t guess it, you are wrong. They can, and will.

“iLoveMikey” is a bad password. “j77AB#qC@^5FT9Da” is a great password. You can see the problem though – great passwords are hard to remember.

So compromise: never include full English words or names; always include a mix of uppercase and lowercase letters and numbers; always make sure that the password is at least 10 or 12 characters long.

“Macintosh” is bad, “Mac7T0sh” might be good, and probably easier to remember. “HondaPrelude” is bad, but “Pre7ood6” might be ok.

Bottom line: pick a random looking password that YOU can remember, but that THEY would never guess – and assume that THEY are always really great guessers.

Login and Password2: Protect your password

A scenario I see much too often starts with “I thought I could trust my boyfriend / girlfriend / husband / wife / co-worker so I shared my password. Then we had an argument.”

How much damage can someone do if they’re angry with you, and they have the password to your account? A lot.

It’s very simple: Trust no one. I’m serious on this. Your friends are your friends until one day they’re not. Naturally there are exceptions, but if there’s the least little bit of doubt, don’t reveal your password. Especially if someone is pressuring you to do so.

3: Set and protect your “secret answer”

Many systems use a “secret question” and its corresponding answer as the key to password recovery or reset. The problem is that many people choose secret answers that nearly anyone can guess.1 Do people know where you were born? Then they know the answer to that secret question. Do people know what you’re pet’s name is? Then “favorite pet’s name” is probably a bad secret question for you.

And yet people do exactly that. If your account is repeatedly hacked after you recover the password, I’d guess that your “secret question” isn’t that secret after all.

A great approach to this is to realize that there’s nothing that says your answer actually has to correspond to the question, or to anything else in your life. So, pick an unrelated answer that has nothing to do with you. Perhaps your “City of Birth” should be “Crayola”, “Chardonay” or “WindowsExplorer”. As long as you can remember it it doesn’t matter what it is.

An even better approach is to treat it like just another password – a password to your password, for example. Make it long, and obscure, completely unrelated to the “question”, and impossible for someone else to guess.

4: Set (and maintain!) an alternate email address

Many services will use an “alternate email address” to mail you a password recovery link if you forget yours.

First, make sure to set that option up, and set it up using an email account on a different system. Create and use a Yahoo account for your Hotmail alternate email, for example.

And second: don’t lose the alternate account. For many systems, if you can’t access that alternate email account, you cannot get your password back,  and you will not be able to recover your primary account.

I’ve seen too many cases where people lose their alternate email address or let that account lapse, only to be totally out of luck when they find they really really need it to recover their primary account.

5: Set (and maintain!) additional security measures offered

Many services now offer additional security measures such as:

  • Two-factor authentication – requiring that you prove you have your phone by entering a code texted to you, or a number generated by an authenticator app.
  • Mobile phone account recovery – similar to using an alternate email address, if you ever do lose your password you can authenticate your recovery attempt by responding to or entering a code sent to your phone.
  • Trusted friends and family – Facebook in particular allows you to designate other Facebook accounts as “trusted contacts” that can be used to validate that you are you and that you should be allowed access to your account.

In almost all cases these measures need to be set up before you need them, so set them up now, while you’re thinking of it. And remember to change them when, say, your mobile number changes, or your friends change.

6: Use a different password on every site

I’ve written about this extensively: it’s important to use different passwords on each of your important sites.

The reason is very simple: if a hacker manages to discover your password on one account they very often will go try your username and password, or email and password, on a multitude of other services. If you used the same password on another service that they happen to try, then that account will quickly be hacked as well.

Password safes like LastPass, Roboform and others are excellent ways to maintain multiple, complex passwords for multiple sites without needing to remember each and every one yourself.

Speaking of your memory….

7: Remember

I realize that “hard to guess” is at odds with “easy to remember”, but both are absolutely critical.

If you forget your password, and you forget the answer to your secret question or lose access to your alternate email account or some how lose the ability to use any of the password recovery mechanisms provided by the service … well, to put it bluntly, you are severely out of luck.

Don’t forget your own password. Don’t forget the answer to your own secret question(s). If you must write your information down keep it in a secure place. A sticky note on your monitor under your mouse pad or other, easy to get to place, is not secure. Your wallet might be secure. A locked cabinet or safe might be secure. A properly encrypted file on your computer might be secure.

And once again, a password safe can be used to do the remembering for you.

8: Don’t fall for phishing schemes


Phishing is the attempt to represent one’s self – typically via email – as someone or some organization that you are not for the purposes of maliciously acquiring sensitive information. The most common examples are
... continue reading »

You should never have to email anyone your password.


There are some very common phishing attempts that will threaten you with account closure unless you respond to the email with information about your account. Information like your login name and password.

Those emails are bogus. Mark them as spam and ignore them.

Any email that requires you to respond with any information that includes your password is almost certainly a phishing scam.

9: Remember that there is little to no support

The vast majority of the account hacks that I hear of – the hacks where people are ultimately unable to recover their accounts – involve free services with little to no support.

There may be a knowledge base, or a peer-to-peer support forum, but there is rarely someone to email and almost never someone to call.

You are responsible for your own account security. It’s often true, and certainly safest to assume, that no one will help you should something go wrong.

That means it’s up to you to take the preventative measures I’ve outlined, as well as keeping your information up to date as things change.

10: Learn from your mistakes

Finally, if looking at this list you realize that:

  • the answers to your secret questions are obvious, or
  • you no longer have access to your alternate email address, or never set one up, or
  • you no longer have access to your old mobile number, or never set one up, or
  • your passwords are short and just plain lame and you use the same one everywhere as well

Then fix it! NOW! Before it’s too late.

Trust me, if you get hacked and it’s for one of those reasons, or you lose access to your hacked account because you never bothered to prepare, you’ll kick yourself.

And you may very well lose access to that account forever.

This is an update to an article originally posted : May 2, 2006
Footnotes and references

1: I’m fairly convinced many services are moving away from this as a security measure simply because so many people gave such obvious and easily-hackable answers.


  1. cliff

    Whenever possible, I avoid sites that require me to create a username and passer. When I absolutely must, the info is always phony and the passer is always the same (******** if it will work; the same muddled phrase I’ve been using for over 12 years, if not). d;^)

    But never (EVER) is that “something else” passer one that I use for anything even remotely important (eMail client; MP3 account; anything involving my credit card or *real* personal info (Social Security Number; correct mailing address).

    Finally, I got the pay-for-it Yahoo eMail solely because it allows you to create any number of specialized spoof eMail addys good for sending and receiving. You choose one word or phrase that begins all addys (eg, PsychedelicRutabaga) which is followed by a hyphen and then any phrase that identifies the account (eg, PsychedelicRutabaga-AskLeo@Yahoo.com). The New York Times, for example, might then be PsychedelicRutabaga-NYTimes@Yahoo.com.

    Take care!


  2. Gordon

    One other thing not mentioned here: If your account repeatedly is getting hacked, you may have malware on your system. Virus or other malware can capture your keyboard strokes, allowing the hacker to easily obtain any new password you create.

    • Connie Delaney

      That is funny – “Through 20 years of effort we have successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”

  3. Glen

    to add to #2, only someone you trust can betray you.
    and #5, back up that requires listening on a phone is no help for deaf people. but it seems no one can think of another way.
    that`s why i quit Outlook. they kept blocking my account and i couldn`t get it unblocked without an automated call.
    and yes, i am that alone that there`s nobody to answer the phone for me.
    and the 3rd one in #5, again, only someone you trust can betray you.

  4. Bud

    I’m quite against just how many sites insist upon establishing an account. I know very well it’s those who
    seem to pass the address onto a saleable list. The next thing I notice is quite a bit of E Mail generated to include the info I gave. Worse yet, these bastards just love to put your actual legal name in the address or subject within their spam message. If they have a “contact” e mail, I let them know I don’t want to establish an account period and if they don’t like it, shove it.

  5. Ron Davis

    Most important of all is to use a password manager. For passwords that you enter from memory (e.g. logging in to your own computer), make it up as described above and use the manager for storage. For passwords that are used over the Internet or other network, have the password manager generate completely-gibberish random passwords, and copy-and-paste them. Password Safe will generate passwords consistently with the various limitations that various sites impose, is available for Windows and Android, and can use the same data file, or a copy thereof, under either system, for easy updating if you use both. Under Windows, it supplies each username or password with a single click. Under Android, it has a convenient “input method”.

  6. Marcus Potter

    Sounds obvious but don’t be so stupid as to actually use the “secret” answers on this site. If you do, remember that if you can read this page so will hackers! It’ll be their Mecca for guesswork of these!

  7. Denise

    I think that taking a screen capture of my list of emails and pws and then uploading that “image” to box.net or some other site or even emailing it to myself might be safe as a back up location. What do you say, Leo?

  8. Mary

    I need help. My Facebook account suddenly log out in my cellphone android browser. I ask my friend to search my name in their Facebook but they can’t find it. Even they told me our personal message can’t be access. And can’t even search my Facebook name in Google. As I remember am not sure if I log out my Fb account in a computer cafe that I rented on that day.
    When I try to log in. I can’t log in anymore and it says incorrect. So I click “forgot password ” and follow the step. But since my Internet is kinda slow I guess I ask to reset my password 3times.. As the last attempt was successful. When I try to log in my phone. I was ask to do the log in through computer and I do so.
    Using computer when I log in to Facebook using my new password. It brings to a message box telling me ” Convert my profile to a page ” ?
    Why it become like that? And there’s nothing like yes or no to choose from but must follow the steps. I don’t want to proceed that am afraid to lost all my contacts and content.

    I don’t understand what happen to my Facebook account. Your help is appreciated. Thank you.


  9. wschloss

    Hi, do you know if most sites store alternative email addresses, and secret question answers, hashed, similar to passwords?

    • Connie

      There would be no way to know. The thing is that every site can be programmed independently. The only way to tell is to explore each site independently, and even contact them and find out how their particular site works.

    • Typically they do not for email addresses at least. Secret answers – also probably not. Unlike passwords, most answers are not case sensitive, and that breaks the ability to use a hash.

      • wschloss

        Hmm, so they are either plain text or something else fairly easy to obtain? Isn’t the logical conclusion then, that even completely random, complex, very long, unique passwords, can easily be confounded, and that even dual factor authentication is ultimately week if it depends, for instance, on a phone number easily obtained if it is stored, hashed or not, since mostly we know it must be 10 digits, 0-9? It seems foolish to assume phone calls can’t be intercepted relatively inexpensively, but especially by actors like the NSA or China. Suddenly that guy burying his money in the back woods doesn’t seem so crazy.

        • Shanker

          Hi Wschloss,
          What you ask for doesn’t exist even if you’re prepared to pay a heavy price for it. No system is absolute, and expecting it from a free service is unfair. All security measures help to proect you from opportunity thieves ( the ordinary folks) and not so talented thieves only. Any talented crook might get through a good security. You’re talking about NSA & Chinese Authorites. The question is whether ‘you & I’ are worthy of thier efforts?

  10. lochan orasd

    Dear sir my fb acount hackef and hanker wrong uese my acount pleje help me my aco.{number removed}
    Pwd {password removed}

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.

Your email address will not be published. Required fields are marked *