Today, I received this lovely email. While I think it is complete BS and I certainly have no intention on taking any action on it, it *does* look like it was sent from my account, i.e., it appears that someone can send emails impersonating me. Do you have any advice what I should do about this?
The questionable email message that this person was reporting describes how this person’s account had been hacked, how changing the password wouldn’t help, and that it was being held for ransom to be paid in Bitcoin. And, indeed, it appeared to be “From:” this person’s email address.
Variations of this scam even include a password — a password that you’ve actually used.
Even so, “complete BS” is very accurate.
Though, if there is a password, then there is one thing you should do.
1: A specific type of online video that I’m reluctant to label because it seems to affect email deliverability and search result placement when I do. Let’s just say it’s a type of video many people would find embarrassing.
2: Before you ask, of course that’s not my password.
Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we’re directly impacted.
Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it’s still a manual process.
My account has been hacked into several times. If I’m able to recover it, it just gets hacked again. Sometimes I can’t recover it, and I have to start all over with a new account. What can I do to stop this all from happening?
I don’t get this question a lot. But I really, really wish I did. What I get instead, repeatedly, is “I’ve been hacked, please recover my account/password for me!” (Which, for the record, I cannot do, no matter how often, or how nicely, or not so nicely, I’m asked.)
The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.
What can you do to make sure your account doesn’t get hacked in the first place?
5: I often hear from folks who are concerned that providing a phone number is really just another way to track you. I don’t buy into that conspiracy theory. Providing a phone number is all about being able to prove you are the rightful account owner should you ever lose access to the account.
8: Technically, this is actually not true: it is possible that two inputs will generate the same hash. However, it is statistically so extremely unlikely that it is simply a non-issue. And as stated in the hashing algorithm requirements, there’s no way to know how to pick an input value that would give you a specific hash value.
9: Trust me, you do not want to dream up your own hash. You really want to leave the math involved to trained professionals. Homebrew hashes are typically cracked within seconds.
Password Haystacks – GRC.com has a great look at the password-length issue, including a calculator to play with.
I keep hearing that I’m supposed to use a different password on every internet site where I have an account. What a pain! I can’t remember all of those passwords. Yeah, I know. You want me to use a password manager thing, but that seems like putting a bunch of really important things into a single basket. What if that basket gets hacked? I use a strong password, why isn’t that enough?
The hacks of several online services have brought this issue to light once again.
I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account – at least, every important site.
And yes, you must devise a way to manage them all.
Let me run down an example scenario that’s causing all of this emphasis on multiple different passwords.
10: Thankfully, services rarely store the actual password – though of course they could. (If your service can tell you your actual password, then they’re doing it wrong, and they’ve stored the password itself somewhere). Rather, they store what’s called a “hash” of the password. Depending on several factors – typically, poor decisions made by whoever implemented the authentication mechanism – it is occasionally possible for hackers to indirectly reverse-engineer passwords from hashes.
I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often, and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.
Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.
Unless you get into a good routine, like when you do data backups, password changes will only get done sporadically, if at all.
Do you have a view on how to build such a good routine?
As you say, routines for things like this are difficult to set up, and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available – at least not in a convenient form.
But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.
I can’t figure out how to change my password on Google for my Gmail account.
I’ll show you.
However, I do have to point out that in order to change your password, you must be able to log in. I mean, if you can’t log in then you can’t prove that you’re the rightful owner of the account. If Google did allow you to change your password without logging in first, then anyone could change it, whether or not they were actually authorized to do so.
I’ve got a quick question concerning saved username/passwords in browsers. Whenever you visit a website and need to login, you’ll be asked (depending on your browser settings) if you’d like to “save” the username/password information to make future logins easier. If you choose to do so, is this username/password information made visible to anyone who has compromised your computer when you access the website in the future? Since the fields are already filled in for you, you don’t actually need to type in anything.
The short answer is yes – if you’re not careful, anyone who walks up to your computer can access those websites as you, or perhaps even walk away with a copy of all your usernames and passwords.
There are actually several important issues around letting your browser – or any utility for that matter – save your passwords. Particularly when we advocate using multiple complex and different passwords for different sites, it’s not only important to use these types of features to keep it all straight, but to use them properly so as not to expose yourself to security issues should your machine ever be compromised.
I’ll review how these features work, and how to use them safely.
Is it safe to have the same password for all of my email accounts? If one has an account in Yahoo! mail, Gmail, rediff mail, etc., and sets the same password for all of them, will it be easier for a hacker or phisher to find out about it?
Using different passwords is much safer than using one password everywhere. In fact I’ll say it’s critical these days.
Because hackers know that most people don’t take the trouble to set that up.
And they know that we typically have more than one account.
You may have noticed that I didn’t jump on the HeartBleed bandwagon last week. I’m not a particularly reactive person, I’m not prone to panicking, and I felt that there was simply too much that wasn’t known about the ramifications of the security issue.
Now that things have settled down a little, it’s time to take a calmer look at what happened, to learn what you need to do, and to answer the most common question about HeartBleed: why?
But first things first: it’s not on your machine. In fact, it doesn’t affect your machine at all. This is all about the servers that you access on the internet.
I have and use KeePass with Windows 7. I open KeePass in the morning and I leave it open all day. Does this make it unnecessary for malware to determine my KeePass password in order to see my password file? Is keeping KeePass open a security risk?
This is an interesting scenario and the answer really boils down to “it depends”.
I use LastPass, a KeePass equivalent. I keep it logged in all day …. and again, I don’t.
This year marked a bit of transition for Ask Leo! as we began a technology switch from Movable Type to WordPress. As a result, the numbers may not be quite as accurate as in years past (a page that was moved from one to the other might not be appropriately represented), but the overall standings are interesting nonetheless.
13: For many years, the #1 (and often #2 and #3) question on Ask Leo! related to recovering Hotmail passwords – so much so that Hotmail passwords became a running joke among my friends and family. This is the first year that Hotmail (or now Outlook.com) passwords haven’t cracked the top ten.
Following your advice, I use a password manager so I can use long, secure passwords and simply copy-paste into websites. Recently, however, it seems more sites use a technology that prevents this. The temptation now is to use shorter passwords, making them less secure so copying and typing them is easier. Why are sites doing this?
I haven’t seen a site that actually prevents pasting a password in the Password field, but I definitely have seen sites that either intentionally or unintentionally make password managers more difficult to use.
Hi, Leo. Will autorun programs be prevented from running if I lock my computer so that it can only be opened with a password? Specifically, will Macrium’s scheduled backups be prevented from running if I lock my computer?
Macrium will run just fine. As for any autorun programs,… well, it depends.
Leo: I know we should change passwords regularly for security, but should we also be changing the various user names for the many sites we visit? Can we be tracked by using similar user names like we can passwords?
There a couple of interesting pieces of what I would consider to be misinformation implicit in your questions. Let me address those first.
Whenever I talk about using different passwords to login to different sites and how it’s important to make sure that all those passwords are difficult to guess (and thereby, conversely hard to remember), many people throw up their hands in frustration.
It’s too much to remember; too much to keep track of.
Computers, on the other hand, are great at remembering things for you. As a result, there are many popular programs that will track your online passwords for you.
15: For a more detailed investigation of LastPass’s security model, read (or listen to) Security Now #256. About half-way down Steve Gibson reviews LastPass’s approach to security.
16: Not strictly true. If I were to lose my phone, I would be able to login using a one-time password that was set up when I enabled two-factor authentication. Obviously, one-time passwords must themselves be securely stored elsewhere. I happen to have them in a file on a TrueCrypt volume for safekeeping.