There’s more to security than 2cbMM8DS7Dwg3FWMVuSv.
I can’t say what happened in your case, specifically.
Let’s assume you’ve got a great password — something like “2cbMM8DS7Dwg3FWMVuSv”. It’s not going to be guessed, and no current computer is going to get to it in the next century by trying all possible combinations.
I can still think of a number of ways your account could have been compromised.
Become a Patron of Ask Leo! and go ad-free!
- You have a keylogger
- You logged in on a public computer
- You’ve been phished
- You have poor security questions/answers
- You logged in over an open WiFi connection
- You walked away while logged in
- You left your computer accessible
- You told a friend
- Someone watched you log in
You have a keylogger
Keyloggers, short for keystroke loggers, are malicious programs transmitted and installed as viruses or spyware.
Once infected, a keylogger could record every keystroke you press, and send it off to some central “hacker headquarters” where results are analyzed and account login IDs and passwords are extracted.
“Keystroke logger” is a misnomer these days. Anything you do can be recorded, including mouse clicks, screenshots, and even network traffic, rendering most of the ways to supposedly bypass keystroke loggers completely ineffectual.
You logged in on a public computer
Not only can public computers be completely infested with malware, including keyloggers, but they can also have hardware logging devices installed. Even if you scanned for it, you’d never tell from the software installed that keystrokes and other activity are being captured by a device attached to or inside of the computer itself.
You’ve been phished
This happens a lot, particularly in online games.
You receive a message, supposedly from the game administrator, that you need to visit a website to gain access to some in-game bonus or validate your account, or risk being banned. When you go to the site, you must log in and … you just gave your login information to a hacker.
Phishing is, of course, not limited to these in-game messages — they can be just about anything to get you to divulge your username and password. Most common phishing attempts happen via email.
You have poor security questions/answers
They’re less common now, but security questions are still sometimes used to validate that you are who you say you are when you click the “I forgot my password” link.
If those security questions are simple things like your birthplace or favorite color, someone who knows you or has read your profile on social media may be able to answer them. If they can, it means they can gain access to your account and set a new password.
You logged in over an open WiFi connection
This could be at some public location offering open Wi-Fi, or even your own home, if you haven’t enabled WPA encryption on your wireless access point.
When this happens, anyone within range (meaning perhaps within a few hundred feet) could “listen in” to your network conversation and see your login ID and password as they passed by from your computer to the gaming or other server.
Fortunately, this is becoming less common as most sites move to https, but you do still need to take care.
You walked away while logged in
If you leave your computer unattended and logged in, someone might be able to walk up and change your password. Or your security questions. Or the email address associated with the account. Any or all of those might allow them to later use the “I forgot my password” function and “recover” access to your account.
You left your computer accessible
There’s no substitute for physical security if someone can just walk up to your computer. Even if you’re not actively playing the game or using the service, or you think you’ve logged out, someone could still start searching for things that might help them. If your game allows you to remember login IDs or passwords, those are probably accessible somewhere, and anyone with physical access to your machine could conceivably find them.
You told a friend
I’ve learned this happens more often than we think.
Sometimes the easiest way to share something is just to let your friend (or spouse, or child, or parent, or …) log in as you — so you give them the password. Later, when they’re angry or hurt or no longer your friend, they are still able to log in and change your password, thereby locking you out.
Someone watched you log in
“Shoulder surfing”, as it’s known, is as simple as it sounds: letting someone watch you type in your password could be enough for them to memorize the keys you type. It’s not necessarily easy, but depending on how you type and how well that person watches and remembers, it’s possible to get a password — even a complex one.
It’s great that you have a strong password. That already puts you ahead of the majority of computer users, sad to say. But it’s not something that protects you from all threats. Be aware of the scenarios I’ve listed, and take appropriate steps to minimize the risks.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
Could the owner of an open WiFi HotSpot – Say at my local Starbucks – utilize a keylogger to capture what I’m doing online? If so HOW?
Or better yet, could a “Bad Guy” set up an open WiFi in a public area specifically to capture peoples usernames and passwords as they perform their online business in that public place?
Any way to protect oneselves from this?
26-Oct-2010
That “’Bad Guy’ set up an open WiFi in a public area specifically to capture peoples usernames and passwords ” approach is a fairly common hacking method in airports and other public places. Be very careful when using WiFi in public places and make sure the WiFi provider is really who they say they are.
Hi Leo:
It’s the first time I read the “Your password is great, but your security questions? Not so much” topic, but I’ve been worried with this for some time.
Untill now I’ve been answering my pet name or first teacher questions with stuff like “0jrkdiGv5Q@n”. Answers I can’t remember, but am sure that no one else is going to guess.
If I have an alternate email for password recovery…
Is it ok to do this?
What problems do you see in my aproach?
Thanks
28-Oct-2010
I also use “garbage” for those security Q&A type recovery items. Store them in LASTPASS NOTES so you don’t have to remember them. Really important ones get stored in another secure spot as well. If you generate these “garbage” strings external to the service for which they will be used (say in LASTPASS) and use cut and paste to avoid typos, it works well. LASTPASS is useful for storing a great deal of important information, and the search facility it now has removes most of the hassle of locating it. There are probably other providers of similar capability than LASTPASS, but the principle is the important issue.
PFL
Leo, a follow up on your prior response:
If you think putting garbage as an answer is not a good choice… What do you recomend?
And could you please elaborate on the reasons why?
I don’t see a point in giving the correct answer to any of these questions. Most of the people I now can answer all or most of them correctly (e.g. I live in a latin american country, and my mother’s maiden name is part of my full name, or, anyone who has been on my birthday parties knows my favorite food is guatita [cow stomach with peanut sauce].. etc).
At the begining I started giving unrelated answers (e.g. My favorite food is blue). But I thought that if a weak passsword is dangerous. A weak question could be hacked as, or more easily. The same goes to give the same answer everywhere.
I continued to give slightly changed responses (e.g. mispelled words, language changes, or even alternate capital letters) but I ended with too much unrelated questions and answers, that I’m sure would be as dificult to remember as “0jrkdiGv5Q@n”
So I ended putting something like “0jrkdiGv5Q@n” as a secret anwer.
My reasoning was, that if anyone hacked my account and changed my alternate email, that person would be non-stupid enough to also change my secret question, country, ZIP code, birthday, etc. If I couldn’t get my account back, then why would I leave a back door open?
What’s the reason to put a secret answer?
Remember your post on “periodical password change”
Please let me know your thoughts and elaborate a bit on them.
Thanks again.
Barcillo
PS: all examples are ficticious. None of my acounts have “0jrkdiGv5Q@n” nor blue as a response…
or maybe they do ;)
29-Oct-2010
Leo, Barcillo‘s approach of inputting nonsense replies to security questions is actually quite sound, with the proviso that he is able to somehow retrieve those specific responses when needed, i.e., by storing them in a password database utility such as Roboform (your recommendation); or (my personal favorite) in
KeePass Password Safe.
“Favorite Color = Pencil” may be a tad easier to remember, but it just isn’t quite as secure! :)
As an admin for my company, I have a myriad number of accounts that require user names and passwords. I decided the easiest thing for me to do (in order to remember them) was to prepare an Excel spreadsheet that contains ALL of my user names, passwords, and secret questions/answers. My current list is four pages long!
My company’s IT systems are backed up every night, but I do keep a hard copy of my Excel document in a safe place should a system-wide crash occur.
Additionally, in the last year my computer was infected with a virus that I could not remove, so I purchased Spyware Doctor. This software frequently scans my programs and alerts me to any website or website connected to an advertisement that is “suspicious.” I just click to block the site. I like the proactive nature of this program.
Obviously, there are no guarantees that someone won’t hack into my e-mail account; but I hope I’ve taken careful measures to reduce the risk …
No one uses my personal computer but me. I never use a public computer ever. I delete ALL phishing e-mails. And I have a complicated password (plus good Spyware)!
Hope this helps!
Leo –
What if by some incredible, incredible coincidence, the password I tried to create for a website was already used by another person. How does the website let me know that I cannot use that password without tipping me off that that’s someone else’s valid password? Or does the website even care? (I’m assuming that a website would never allow two users to have the exact same password.)
Thanks.
The website neither knows nor cares. It’s quite legitimate — safe(ish) even — for two people to have the same password. There’s nothing about that that would put either at more risk. What puts people at risk is using the same password everywhere, and using passwords that have already been discovered. Some Password Managers are starting to check for the latter — “this password has already been discovered in a breach” kind of thing. Not telling you where, or who was using it, just that it’s been found. That means it’s VERY likely to be in a table of passwords hackers might start trying first. Pwned Passwords is a good source to see if a password has been included in a breach: https://haveibeenpwned.com/Passwords
I would assume websites that do security right hash the password and the username, usually the email address together, together, so to the website it would appear to be a completely different password. And I’m 100% certain that every major website has several people using the same password, in particular, many from the list of most popular passwords.
There are so many ways things could be stored. I’d be surprised if they hashed a username and email address with the password, but of course, they could. Doing it “very” right means adding something called a “salt” to the password before hashing, and those could be simple ones. (Though using those would prevent you from changing either in the future, I think — you need to see ’em all simultaneously to generate the hash, and the site sees the password exactly and only once: when you set it.) Many systems still don’t rely on salt, or the salt they use is a constant, in which case they could see the hash values are the same.
I understand about salt. I just figured that hashing the username password combination would be adding pepper too :-)
I really don’t agree with you that someone is going to watch you type in your password and remember it
most people can’t follow a person pressing the keys and get them correct and if using the password in your example NOBODY … NOBODY is ever going to remember this let alone get it correct watching a person press the keys …. it’s not logical this is possible for normal human based carbon units
Use a mobile phone to record the password entry, then play it back at leisure.
Is there a way to contact the OWNERS (Corporate) of an Online Game ? If they don’t offer customer service, perhaps Google for a phone number to contact Corporate or a Corporate Officer. Employees of the Corporation may not care, but I would hope they would take action to suppress criminal activity (theft) involving their product. I would think they could easily trace the illegal transfer of in game property. It should also be easy to track similar behavior or a pattern of such suspicious behavior by one of their customers.
Is there a “help” function with a lead to that info? Is this a paid service and if so can the site where you pay help? If a corporate entity owns this game, they and their customer relations should be discoverable by a general search. Leo may have more/better suggestions. I hope you can get help in tracing the illegal transfer. Good luck and maybe post back your results.
This varies from game to game. ALWAYS start with customer support. You can try determining who owns their website or looking for corporate information on the game or support website.
Wouldn’t another vector be the service itself? If they’re not doing security right and get hacked, that could expose user information. I realize that ideally that shouldn’t happen – websites shouldn’t store user information in a format that would be decipherable if it gets hacked, but I wouldn’t hold my breath that that always happens. And, that is something completely out of the user’s control.
Additionally, in reference to some of the comments above: I also use a random string of characters for my security answers, I just store them in my password manager so I don’t have to remember them.
Good point. Indeed, we do see companies being breached, and if they’re not storing passwords properly, or who knows what else, bad things can happen.
That’s why it’s so important to use a unique password for each login. If on website gets breached, you only have to deal with that website. If you use the same email address password combination, the hackers can try that combination on several different websites and get in. This is a tenth way your accounts can be hacked: if they’ve breached one website you use, you can lose others which use the same login credentials.
Longtime LastPass user and I’m am having problems with my Amazon account. A month ago, someone signed up for Prime with my credit card, but a different account. Amazon promptly deactivated it and I reported it to my credit. I can’t remember if I changed my Amazon password at the time. Today, someone opened a Prime account using my Amazon account. I saw the E-mail and called Amazon. They wouldn’t cancel the free trial, but they did let me cancel the Prime. I did change my password in LastPass and activated 2 factor authentication. I then just saw that the credit card mentioned earlier has a flight booked tonight along with travel insurance for it. I’m trying to call the airline, but may hang up and call the credit card instead.
Definitely call the credit card company and have them cancel the credit card and issue you a new one. Many banks refund fraudulent charges.
This morning it was much easier to reach the airline and the credit card company and they took care of it. The airline gave the name of the person, but I didn’t recognize the name.
I still wonder how someone signed me up for a trial Amazon yesterday.
That is strange because to do that they’d need to have both your Amazon login information and your credit card number and security code. The credit card is easy to fake. Any time you’ve handed your credit card to someone for payment, they could have got your number, security code and expiration date. The Amazon hack is baffling.
1. Make sure you cancel the trial Amazon Prime account before the month is up or you’ll end up getting charged for a year.
2. You probably should go to the police since you know who tried to steal from your Credit Card account. They may be doing this to many people and you might help stop them from committing more fraud.
Mark, thanks for your reply earlier. Yes, the Amazon one is baffling because how did they get into it. My Amazon password is a LastPass password. Now, I do have the 2-factor enabled.
On another consumer site, people are suggesting that my LastPass or my computer are compromised. I have a hard time believe that could happen. I don’t even type in my Amazon or LastPass passwords, as they auto login or auto enter. I guess I could change my LastPass password. But my LastPass master password is a fairly solid password. I think there is a way to see open sessions of your LastPass and look at a history. I do not have 2-factor on LastPass, and don’t want to add it. That would be very scary if someone got into my LastPass and exported all my passwords. I just don’t know how they would do that.
Citibank unfortunately, won’t issue a temporary credit, so not happy about that.
The thing that comes to me is that your computer has been compromised. It’s unlikely but possible that LastPass has been compromised unless they did it by malware on your machine.
If your computer is compromised, using LastPass instead of typing in the password wouldn’t offer much protection as malware can read the contents of the clipboard and other buffers.
Will Roboform or Lastpass bypass keyloggers?
And yes, change your LastPass password and all your login passwords. If they got into your LastPass vault, they have access to everything.
Thanks Mark again for your comment (April 16, 2021 at 5:31 am). I went ahead and changed my LastPass password, even though I’m still not sure how it would have been compromised. I also changed the password on a few of my key sites.
I also ran a Windows Defender full scan, and had it run the offline scan and nothing came up.
Citibank did luckily issue a credit. I also filed a report with the police.
The suggestion to change your LastPass password was in case you had malware on your computer that may have grabbed the password. Did you run a few antimalware programs as a precaution?
How Do I Remove Malware from Windows 10 in 2021?
Thank you for the suggestion for that post. I downloaded Malwarebytes and it did not find any malware.
About the LastPass password, see, I never enter it on my computer because I have automatic login on Chrome via the LastPass extension. So I don’t think LastPass would store it in the clipboard.
Meanwhile, the police officer just called me to get the full credit card number. I have since discarded it. But luckily, I found one of my LastPass backups from a few months ago and retrieved the #. All for backups!