I don’t get this question a lot. But I really, really wish I did. What I get instead, repeatedly, is “I’ve been hacked, please recover my account/password for me!” (Which, for the record, I cannot do, no matter how often, or how nicely, or not so nicely, I’m asked.)
The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.
What can you do to make sure your account doesn’t get hacked into in the first place?
Become a Patron of Ask Leo! and go ad-free!
1: Select a good password
I’m sure you’d be shocked at how easy many passwords are to guess. Your pet’s name, your pet’s name spelled backwards, your favorite TV character’s catch phrase, your boyfriend or girlfriend’s name (or “ilove” followed by that name), and so on.
If you think people can’t guess it, you are wrong. They can, and will.
“iLoveMikey” is a bad password. “j77AB#qC@^5FT9Da” is a great password. You can see the problem, though: great passwords are hard to remember.
- Avoid full English words or names
- Include a mix of uppercase and lowercase letters and numbers
- Make sure the password is at least 12 characters long, and ideally 16 or longer, if supported
“Macintosh” is bad. “Mac7T0shB00k” (based on the easy-to-remember “Macintosh Book”) might be good. “HondaPrelude” is bad, but “SilbrPre7ood6” (based on “Silver Prelude 6”) might be ok.
Bottom line: pick a random-looking password that YOU can remember, but that THEY would never guess… and assume that THEY are always really great guessers.
For more, see: What’s a good password?
2: Protect your password
A scenario I see much too often starts with “I thought I could trust my boyfriend/girlfriend/husband/wife/co-worker, so I gave them my password. Then we had an argument.”
How much damage can someone do if they’re angry with you, and they have the password to your account? A lot.
It’s very simple: Trust no one. I’m serious on this. Your friends are your friends until one day they’re not. Naturally, there are exceptions, but if there’s the least little bit of doubt, don’t reveal your password. Especially if someone is pressuring you to do so.
For more, see: The Biggest Risk to Your Privacy
3: Set and protect your “secret answer”
It’s fallen out of favor as not being particularly secure, but many systems use a “secret question” and its corresponding answer as the key to password recovery or reset. The problem is, many people choose secret answers that nearly anyone can guess or find out.
However, there’s nothing that says your answer has to correspond to the question. Instead, pick an answer that is unrelated to the question. Perhaps your “City of Birth” should be “Crayola”, “Chardonay”, or “WindowsExplorer”. Perhaps treat secret answers like another password. Make it long, obscure, completely unrelated to the “question”, and impossible for someone else to guess.
As long as you can remember it when needed, it doesn’t matter what it is.
4: Set (and maintain!) an alternate email address
Many services will use an “alternate email address” to mail you a password recovery link if you forget yours. You must set this up before you need it.
First, make sure to configure that option, using an email account on a different system. Create and use a Yahoo account for your Outlook.com alternate email, for example.
Second: don’t lose the alternate account. For many systems, if you can’t access that alternate email account, you cannot get your password back, and you will not be able to recover your primary account. Remember to log in to that alternate account every so often to keep it from being shut down for inactivity.
I’ve seen too many cases where people lose their alternate email address, or let that account lapse, and then find themselves totally out of luck when they find they really need it to recover their primary account.
5: Set (and maintain!) a mobile or other telephone number
This is very similar to an alternate email address, and can often be used in place of one if you’ve configured it beforehand. Once again, you must set this up before you need it.1
If you can’t access your account, the service will text you a recovery code. If you don’t text or have a text-capable phone, many will even call you with an automated voice recording of the recovery code. You then enter the code, proving you have access to the phone number that was previously configured as belonging to that account, and regain access.
Keep this number up-to-date! I hear regularly from people who’ve lost access to their accounts permanently because the phone number they originally configured is no longer theirs.
Also, keep in mind that this number must be able to reach you where you are, and may even be triggered as an additional security measure if you travel outside of your normal area. If that’s not possible, then configure some other form of security, such as the alternate email, mentioned above, or other techniques offered by your service provider.
6: Enable two-factor authentication
Two-factor (or “multi-factor”) authentication is the current holy grail when it comes to account security. With two-factor properly enabled, hackers cannot get into your account even if they know the password.
The second factor that proves you are who you say you are is typically either:
- A mobile app that provides a unique and random number on demand, which you must provide when you log in
- A text message sent to a phone number you configure when you set up the account, which you then also enter at login
Once logged in, you can disable this requirement on machines you use frequently. Since hackers will not have previously logged in, they’ll not be able to disable the requirement, and they’ll not be able to provide the second factor. Hence, they can’t get in.
For more, see: Two-Factor Authentication Keeps the Hackers Out.
7: Other provider-specific techniques
Some providers have established additional recovery techniques. For example:
- Facebook: you can configure trusted friends within Facebook who can authoritatively vouch for you should you lose access to your account.
- Microsoft account: you can create a recovery code that you save somewhere safe and use to recover your account.
Look for options like these, or others, within the services you use regularly.
And remember, they all require that they be set up before you need them.
8: Use a different password on every site
I’ve written about this extensively: it’s important to use different passwords on each of your important sites.
The reason is very simple: if a hacker manages to discover your password on one account, they will go try your username and password, or email and password, on a multitude of other services. If you used the same password on another service they happen to try, that account will quickly be hacked as well.
Password safes like LastPass, Roboform, and others are excellent ways to maintain multiple, complex passwords for multiple sites without needing to remember them yourself.
I realize that “hard to guess” is at odds with “easy to remember”, but both are absolutely critical.
If you forget your password, or you forget the answer to your secret question, or lose access to your alternate email account, or somehow lose the ability to use any of the password recovery mechanisms provided by the service, well, to put it bluntly, you are SOL: severely out of luck.
Don’t forget your own password. Don’t forget the answer to your own secret question(s). If you must write your information down, keep it in a secure place. A sticky note on your monitor under your mouse pad or other easy-to-get-to place is not secure. Your wallet might be secure. A locked cabinet or safe might be secure. A properly encrypted file on your computer might be secure.
I recommend a password manager like LastPass (or many others) to do the remembering for you.
For more, see: Are Password Managers Safe?
10: Don’t fall for phishing schemes
You should never have to email anyone your password.
There are some very common phishing attempts that threaten you with account closure unless you respond to the email with information about your account (information like your log-in name and password). Those emails are bogus. Mark them as spam and ignore them. Any email that requires you to respond with any information that includes your password is almost certainly a phishing scam.
Similarly, many phishing scams attempt to get you to click on a link to do something important relating to your account. Instead of taking you to the service, they take you to a fake page that looks like the service, but instead is a page designed to capture your username and password when you try to log in. If you have any doubt, don’t click the link in email, but instead go to the service in question yourself, using your web browser. If there’s something important, it’ll almost certainly be presented there.
For more, see: Phishing: How to Know it When You See It.
11: Remember that there is little to no support
The vast majority of the account hacks I hear of — the hacks where people are ultimately unable to recover their accounts — involve free services with little to no support.
There may be a knowledge base, or a peer-to-peer support forum, but there is rarely someone to email and almost never someone to call.
You are responsible for your own account security.
It’s often true, and certainly safest to assume, that no one will help you should something go wrong. That means it’s up to you to take the preventative measures I’ve outlined, as well as keeping your information up to date as things change.
For more, see: Are Free Email Services Worth It?
12: Learn from your mistakes
Finally, if you realize that:
- The answers to your secret questions are obvious, or
- You no longer have access to your alternate email address or never set one up, or
- You no longer have access to your old mobile number or never set one up, or
- Your passwords are short and just plain lame, and you use the same one everywhere …
Fix it! NOW! Before it’s too late.
Trust me: if you get hacked and it’s for one of those reasons, or you lose access to your hacked account because you never bothered to prepare, you’ll kick yourself.
And you may very well lose access to that account, and all its data, forever.
For more, see: A One Step Way to Lose Your Account … Forever.