Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

12 Steps to Keep from Getting Your Account Hacked

//
My account has been hacked into several times. If I’m able to recover it, it just gets hacked again. Sometimes I can’t recover it, and I have to start all over with a new account. What can I do to stop this all from happening?

I don’t get this question a lot. But I really, really wish I did. What I get instead, repeatedly, is “I’ve been hacked, please recover my account/password for me!” (Which, for the record, I cannot do, no matter how often, or how nicely, or not so nicely, I’m asked.)

The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.

What can you do to make sure your account doesn’t get hacked in the first place?

Become a Patron of Ask Leo! and go ad-free!

1: Select a good password

You’d be shocked at how easy many passwords are to guess. Your pet’s name, your pet’s name spelled backwards, your favorite TV character’s catch phrase, your boyfriend or girlfriend’s name (or “ilove” followed by that name), and so on.

If you think people can’t guess it, you are wrong. They can and will.

“iLoveMikey” is a bad password. “j77AB#qC@^5FT9Da” is a great password. You can see the problem, though: great passwords are hard to remember.

So compromise.

  • Avoid single or pairs of full English words or names, unless you make a longer passphrase of at least three and preferably four or more words.
  • Include a mix of uppercase and lowercase letters and numbers
  • Make sure the password is at least 12 characters long, and ideally 16 or longer, if supported

“Macintosh” is bad. “Mac7T0shB00k” (based on the easy-to-remember “Macintosh Book”) might be good. “HondaPrelude” is bad, but “SilbrPre7ood6” (based on “Silver Prelude 6”) might be ok.

Bottom line: pick a random-looking password YOU can remember, but THEY would never guess… and assume that THEY are always really great guessers.

For more, see: What’s a Good Password?

Login and Password2: Protect your password

A scenario I see much too often starts with “I thought I could trust my boyfriend/girlfriend/husband/wife/co-worker, so I gave them my password. Then we had an argument.”

How much damage can someone do if they’re angry with you and they have the password to your account? A lot.

It’s very simple: Trust no one. I’m serious on this. Your friends are your friends, until one day they’re not. Naturally, there are exceptions, but if there’s the least little bit of doubt, don’t reveal your password. Especially if someone is pressuring you to do so.

For more, see: The Biggest Risk to Your Privacy

3: Set and protect your “secret answer”

It’s fallen out of favor as not being particularly secure, but many systems use a “secret question” and its corresponding answer as the key to password recovery or reset. The problem is, many people choose secret answers that nearly anyone can guess or find out.

However, there’s nothing that says your answer has to correspond to the question. Instead, pick an answer that is unrelated to the question. Perhaps your “City of Birth” should be “Crayola”, “Chardonay”, or “WindowsExplorer”. Treat secret answers like another password. Make it long, obscure, completely unrelated to the “question”, and impossible for someone else to guess.

As long as you can remember it when needed, it doesn’t matter what it is.

For more, see: Password Recovery Questions: How Do They Work and Can I Make Up My Own?

4: Set (and maintain!) an alternate email address

Many services use an “alternate email address” to mail you a password recovery link if you forget yours. You must set this up before you need it.

First, make sure to configure that option, using an email account on a different system. Create and use a Yahoo account for your Outlook.com alternate email, for example.

Second: don’t lose the alternate account. For many systems, if you can’t access that alternate email account, you cannot get your password back,  and you will not be able to recover your primary account. Remember to log in to that alternate account every so often to keep it from being shut down for inactivity.

I’ve seen too many cases where people lose their alternate email address, or let the account lapse, and then find themselves totally out of luck when they find they really need it to recover their primary account.

For more, see: How Do I Get into My Hotmail/Outlook.com Account if I Don’t Have the Recovery Phone or Email any More?

5: Set (and maintain!) a mobile or other telephone number

This is very similar to an alternate email address, and can often be used in place of one if you’ve configured it beforehand. Once again, you must set this up before you need it.1

If you can’t access your account, the service will text you a recovery code. If you don’t text or have a text-capable phone, many can call you with an automated voice recording of the recovery code. You then enter the code, proving you have access to the phone number that was previously configured as belonging to that account, and regain access.

Keep this number up-to-date! I regularly hear from people who’ve lost access to their accounts permanently because the phone number they originally configured is no longer theirs.

Also, keep in mind that this number must be able to reach you where you are, and may even be triggered as an additional security measure if you travel outside of your normal area. If that’s not possible, then configure some other form of security, such as the alternate email mentioned above, or other techniques offered by your service provider.

For more, see: How Do I Get into My Hotmail/Outlook.com Account if I Don’t Have the Recovery Phone or Email any More?

6: Enable two-factor authentication

Two-factor (or “multi-factor”) authentication is the current holy grail when it comes to account security. With two-factor properly enabled, hackers cannot get into your account even if they know the password.

The second factor that proves you are who you say you are is typically either:

  • A mobile app that provides a unique and random number on demand, which you must provide when you log in
  • A text message sent to a phone number you configure when you set up the account, which you then also enter at login

Once logged in, you can disable this requirement on machines you use frequently. Since hackers will not have previously logged in, they’ll not be able to disable the requirement, and they’ll not be able to provide the second factor. Hence, they can’t get in.

For more, see: Two-Factor Authentication Keeps the Hackers Out.

7: Other provider-specific techniques

Some providers have established additional recovery techniques. For example:

  • Facebook: you can configure trusted friends within Facebook who can authoritatively vouch for you should you lose access to your account.
  • Microsoft account: you can create a recovery code that you save somewhere safe and use to recover your account.

Look for options like these, or others, within the services you use regularly.

And remember, you must set all of these up before you need them.

For more, see: Recover Your Microsoft Account Later by Setting Up a Recovery Code NOW, and How Do I Recover My Hacked Facebook Account?

8: Use a different password on every site

I’ve written about this extensively: it’s important to use different passwords on each of your important sites.

The reason is simple: if a hacker manages to discover your password on one account, they will go try your username and password, or email and password, on a multitude of other services. If you used the same password on another service they happen to try, that account will quickly be hacked as well.

Password safes like LastPass, RoboForm, and others are excellent ways to maintain multiple, complex passwords for multiple sites without needing to remember them yourself.

For more, see: Why Is It Important to Have Different Passwords on Different Accounts?

9: Remember

I realize that “hard to guess” is at odds with “easy to remember”, but both are absolutely critical.

If you forget your password, or you forget the answer to your secret question, or lose access to your alternate email account, or somehow lose the ability to use any of the password recovery mechanisms provided by the service, well, to put it bluntly, you are SOL: severely out of luck.

Don’t forget your own password. Don’t forget the answer to your own secret question(s). If you must write your information down, keep it in a secure place. A sticky note on your monitor under your mouse pad or other easy-to-get-to place is not secure. Your wallet might be secure. A locked cabinet or safe might be secure. A properly encrypted file on your computer might be secure.

I recommend a password manager like LastPass (or many others) to do the remembering for you.

For more, see: Are Password Managers Safe?

10: Don’t fall for phishing schemes

You should never have to email anyone your password.

EVER.

There are some very common phishing attempts that threaten you with account closure unless you respond to the email with information about your account (like your log-in name and password). Those emails are bogus. Mark them as spam and ignore them. Any email that requires you to respond with any information that includes your password is almost certainly a phishing scam.

Similarly, many phishing scams attempt to get you to click on a link to do something important relating to your account. Instead of taking you to the service, they take you to a fake page that looks like the service, but instead is a page designed to capture your username and password when you try to log in. If you have any doubt, don’t click the link in email. Instead, go to the service in question yourself, using your web browser. If there’s something important, it’ll almost certainly be presented there.

For more, see: Phishing: How to Know it When You See It.

11: Remember that there is little to no support

The vast majority of the account hacks I hear of — the hacks where people are ultimately unable to recover their accounts — involve free services with little to no support.

There may be a knowledge base, or a peer-to-peer support forum, but there is rarely someone to email and almost never someone to call.

You are responsible for your own account security.

It’s often true, and certainly safest to assume, that no one will help you should something go wrong. That means it’s up to you to take the preventative measures I’ve outlined, as well as keeping your information up to date as things change.

For more, see: Are Free Email Services Worth It?

12: Learn from your mistakes

Finally, if you realize that:

  • The answers to your secret questions are obvious, or
  • You no longer have access to your alternate email address or never set one up, or
  • You no longer have access to your old mobile number or never set one up, or
  • Your passwords are short and just plain lame, and you use the same one everywhere …

Fix it! NOW! Before it’s too late.

Trust me: if you get hacked and it’s for one of those reasons, or you lose access to your hacked account because you never bothered to prepare, you’ll kick yourself.

And you may very well lose access to that account, and all its data, forever.

For more, see: A One Step Way to Lose Your Account … Forever.

Podcast audio

Play

Footnotes & references

1: I often hear from folks who are concerned that providing a phone number is really just another way to track you. I don’t buy into that conspiracy theory. Providing a phone number is all about being able to prove you are the rightful account owner should you ever lose access to the account.

42 comments on “12 Steps to Keep from Getting Your Account Hacked”

  1. Whenever possible, I avoid sites that require me to create a username and passer. When I absolutely must, the info is always phony and the passer is always the same (******** if it will work; the same muddled phrase I’ve been using for over 12 years, if not). d;^)

    But never (EVER) is that “something else” passer one that I use for anything even remotely important (eMail client; MP3 account; anything involving my credit card or *real* personal info (Social Security Number; correct mailing address).

    Finally, I got the pay-for-it Yahoo eMail solely because it allows you to create any number of specialized spoof eMail addys good for sending and receiving. You choose one word or phrase that begins all addys (eg, PsychedelicRutabaga) which is followed by a hyphen and then any phrase that identifies the account (eg, PsychedelicRutabaga-AskLeo@Yahoo.com). The New York Times, for example, might then be PsychedelicRutabaga-NYTimes@Yahoo.com.

    Take care!

    -c

    Reply
  2. One other thing not mentioned here: If your account repeatedly is getting hacked, you may have malware on your system. Virus or other malware can capture your keyboard strokes, allowing the hacker to easily obtain any new password you create.

    Reply
    • That is funny – “Through 20 years of effort we have successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”

      Reply
  3. to add to #2, only someone you trust can betray you.
    and #5, back up that requires listening on a phone is no help for deaf people. but it seems no one can think of another way.
    that`s why i quit Outlook. they kept blocking my account and i couldn`t get it unblocked without an automated call.
    and yes, i am that alone that there`s nobody to answer the phone for me.
    and the 3rd one in #5, again, only someone you trust can betray you.

    Reply
  4. I’m quite against just how many sites insist upon establishing an account. I know very well it’s those who
    seem to pass the address onto a saleable list. The next thing I notice is quite a bit of E Mail generated to include the info I gave. Worse yet, these bastards just love to put your actual legal name in the address or subject within their spam message. If they have a “contact” e mail, I let them know I don’t want to establish an account period and if they don’t like it, shove it.

    Reply
  5. Most important of all is to use a password manager. For passwords that you enter from memory (e.g. logging in to your own computer), make it up as described above and use the manager for storage. For passwords that are used over the Internet or other network, have the password manager generate completely-gibberish random passwords, and copy-and-paste them. Password Safe will generate passwords consistently with the various limitations that various sites impose, is available for Windows and Android, and can use the same data file, or a copy thereof, under either system, for easy updating if you use both. Under Windows, it supplies each username or password with a single click. Under Android, it has a convenient “input method”.

    Reply
  6. Sounds obvious but don’t be so stupid as to actually use the “secret” answers on this site. If you do, remember that if you can read this page so will hackers! It’ll be their Mecca for guesswork of these!

    Reply
    • I don’t use it, but…
      If the file is stored on your computer, then, it’s only as safe as your computer is safe.
      If its stored on line, then it’s as safe as your connection and your computer.
      Depending on your situation, it may be «safe enough» or pretty damn unsafe, or anywhere in between.

      Reply
  7. I think that taking a screen capture of my list of emails and pws and then uploading that “image” to box.net or some other site or even emailing it to myself might be safe as a back up location. What do you say, Leo?

    Reply
  8. I need help. My Facebook account suddenly log out in my cellphone android browser. I ask my friend to search my name in their Facebook but they can’t find it. Even they told me our personal message can’t be access. And can’t even search my Facebook name in Google. As I remember am not sure if I log out my Fb account in a computer cafe that I rented on that day.
    When I try to log in. I can’t log in anymore and it says incorrect. So I click “forgot password ” and follow the step. But since my Internet is kinda slow I guess I ask to reset my password 3times.. As the last attempt was successful. When I try to log in my phone. I was ask to do the log in through computer and I do so.
    Using computer when I log in to Facebook using my new password. It brings to a message box telling me ” Convert my profile to a page ” ?
    Why it become like that? And there’s nothing like yes or no to choose from but must follow the steps. I don’t want to proceed that am afraid to lost all my contacts and content.

    I don’t understand what happen to my Facebook account. Your help is appreciated. Thank you.

    Mary

    Reply
  9. Hi, do you know if most sites store alternative email addresses, and secret question answers, hashed, similar to passwords?

    Reply
    • There would be no way to know. The thing is that every site can be programmed independently. The only way to tell is to explore each site independently, and even contact them and find out how their particular site works.

      Reply
    • Typically they do not for email addresses at least. Secret answers – also probably not. Unlike passwords, most answers are not case sensitive, and that breaks the ability to use a hash.

      Reply
      • Hmm, so they are either plain text or something else fairly easy to obtain? Isn’t the logical conclusion then, that even completely random, complex, very long, unique passwords, can easily be confounded, and that even dual factor authentication is ultimately week if it depends, for instance, on a phone number easily obtained if it is stored, hashed or not, since mostly we know it must be 10 digits, 0-9? It seems foolish to assume phone calls can’t be intercepted relatively inexpensively, but especially by actors like the NSA or China. Suddenly that guy burying his money in the back woods doesn’t seem so crazy.

        Reply
        • Hi Wschloss,
          What you ask for doesn’t exist even if you’re prepared to pay a heavy price for it. No system is absolute, and expecting it from a free service is unfair. All security measures help to proect you from opportunity thieves ( the ordinary folks) and not so talented thieves only. Any talented crook might get through a good security. You’re talking about NSA & Chinese Authorites. The question is whether ‘you & I’ are worthy of thier efforts?

          Reply
  10. Dear sir my fb acount hackef and hanker wrong uese my acount pleje help me my aco.{number removed}
    Pwd {password removed}

    Reply
  11. Hello… My facebook account has been hacked twice.. Had a friend try to help me yesterday and received a message from fb saying I was a hacker and the deleted my account. Lost all info, pictures and friends. I am NOT a hacker.. I’m trying everything to try to resolve without anyonr helping me.. I’m exhausted and very upset.. Thank you for your time… Can’t do anything and I don’t have a computer.can’t open email.. Nothing

    Reply
  12. Hi, Thanx for another good article.
    When using ‘secret question’, I always use long numbers as answers, and I keep these written down and backed up.
    Two of them, I keep in my wallet, in case I need them while I’m out, along with the two corresponding passwords.
    If I was to lose my wallet, and someone read these items, they might guess that they are passwords,
    but would not know to what, nor have user names to go with them.

    Reply
  13. As a consultant, I often have to help my clients recover from hacked accounts, and about eighty percent of the time it turns out that at some point in recent weeks they accessed their email or other account through a computer at a public library, hotel business center, or other public place. Those systems are VERY OFTEN infected by malware that captures your login info and sends it off to some hacker, and there is no way for you to know that.

    Consequently, I tell all of my clients, and anyone else who will listen, to NEVER access their email or other sensitive account through anyone else’s device, and especially not through devices that are available to the public. If you can’t take your computer with you when you travel, then use a tablet or smartphone, but ALWAYS use YOUR OWN device to access your email or any other website that you have to log into. And, never loan your device or allow anyone to use it that you are not certain you can trust.

    Reply
  14. For answering secret questions, I have LastPass create an pronounceable password and use that. I try to use the same answer to all questions, but have LastPass create different ones if it doesn’t let me. I also use LastPass to create usernames = pronounceable passwords too, so many of my usernames are different too.

    Reply
  15. Joke – Husband: “honey I know you changed our password, what’s the new one”
    Wife: “It’s our anniversary date:
    Husband: “Bitch”

    Reply
  16. Hi Leo,
    I am very pleased to know that you wouldn’t help anyone to hack into someone’s
    account!
    Thankyou Alex!!

    Reply
  17. MICHEAL DELL the billionair owner of DELL computers, places spy ware through their laptops. I have been cyberharassed and stalked, were I couldn’t understand why my DELL laptop keyboard was literally insulting me and threatening me. I would be typing and these words would changed to threats such as “Die, bitch, leave” or spanish words and various other odd things I wasn’t typing, the words would bounce from one paragraph to specific words, I felt like somebody was on the other end of my keyboard, no IT or antimalware service could help. I checked through Windows 10 settings spell check and such were all unticked and not on. Even his rich daughter Alexa Dell might have gotten all this information not sure for what purpose, I use anti spy ware apps and VPNs yet some of my information kept getting leaked online. I thought it was neighbors in my town or some other corrupt organization.

    I can’t use my Dell computer any longer and stuck with out a computer so I can’t do work, Im not rich like his daughter so I need to make a living !!!
    Has any one else had these odd cyberharassing things happen on this Dell computer, like the entire system is hijacked?

    Reply
    • This is completely unrelated to it being a Dell computer. It’d be silly for a company like Dell to behave that way. Your computer has simply been hacked by someone, for some reason. I’d start by getting someone reputable to back it up, wipe it, and reinstall everything from scratch.

      Reply
  18. All my passwords/accts. Get changed minutes after i put info in. I know whose doing this. My phone & tablet hacked. My text gets erased while I’m writing it. Also an harrassment issue. I have changed my em & phone # three times. Been to police. I’m a senior citizen, disabled, and don’t know how to get them out of my phone or tablet. They use my em on porn sites, and i get that garbage on my phone. I’m 70 and this is rediculous. Any suggestions?…….Sue

    Reply
  19. We cannot recover hacked accounts, lost or forgotten passwords. Please see this article for more information on your options:
    https://askleo.com/would_you_please_recover_my_password_my_account_has_been_hacked_or_ive_forgotten_it/

    If this is a Hotmail, MSN.com, Live.com or Outlook.com account, then this article discusses recovery options for the various ways that these accounts can be lost or compromised:
    https://askleo.com/what_are_my_lost_hotmail_account_and_password_recovery_options/

    If this is a Facebook account then please see:
    https://askleo.com/how_do_i_recover_my_facebook_log_in_password/ and/or
    https://askleo.com/how-do-i-recover-my-hacked-facebook-account/

    Reply
    • Read the article you are commenting on. It includes all the information we have on the subject. Have you implemented all 12 steps?

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.