Has a Hacker Really Hacked My Email Account?

Today, I received this lovely email. While I think it is complete BS and I certainly have no intention on taking any action on it, it *does* look like it was sent from my account, i.e., it appears that someone can send emails impersonating me. Do you have any advice what I should do about this?


The questionable email message that this person was reporting describes how this person’s account had been hacked, how changing the password wouldn’t help, and that it was being held for ransom to be paid in Bitcoin. And, indeed, it appeared to be “From:” this person’s email address.

Variations of this scam even include a password — a password that you’ve actually used.

Even so, “complete BS” is very accurate.

Though, if there is a password, then there is one thing you should do.

Read moreHas a Hacker Really Hacked My Email Account?

Footnotes & references

1: A specific type of online video that I’m reluctant to label because it seems to affect email deliverability and search result placement when I do. Let’s just say it’s a type of video many people would find embarrassing.

2: Before you ask, of course that’s not my password. (Smile)

Password Checkup: A Recommended Chrome Browser Extension

Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we’re directly impacted.

Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it’s still a manual process.

That’s where Password Checkup comes in.

Read morePassword Checkup: A Recommended Chrome Browser Extension

Footnotes & references

3: And, yes, I did change my password for ring.com. Smile

4: It is, indeed, an implication, but one that is simple and makes sense as a completely secure approach to doing this.

12 Steps to Keep from Getting Your Account Hacked

My account has been hacked into several times. If I’m able to recover it, it just gets hacked again. Sometimes I can’t recover it, and I have to start all over with a new account. What can I do to stop this all from happening?

I don’t get this question a lot. But I really, really wish I did. What I get instead, repeatedly, is “I’ve been hacked, please recover my account/password for me!” (Which, for the record, I cannot do, no matter how often, or how nicely, or not so nicely, I’m asked.)

The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.

What can you do to make sure your account doesn’t get hacked in the first place?

Read more12 Steps to Keep from Getting Your Account Hacked

Footnotes & references

5: I often hear from folks who are concerned that providing a phone number is really just another way to track you. I don’t buy into that conspiracy theory. Providing a phone number is all about being able to prove you are the rightful account owner should you ever lose access to the account.

How Do I Choose a Good Password?

We frequently hear of major websites suffering data breaches that expose millions of user accounts and passwords to hackers.

This type of theft makes the concept of “good passwords” all that much more important to understand.

Read moreHow Do I Choose a Good Password?

Footnotes & references

6: How many words are there in the English language? – Oxford Dictionaries

7: Cracking time calculations are from Password Haystacks at GRC.com.

8: Technically, this is actually not true: it is possible that two inputs will generate the same hash. However, it is statistically so extremely unlikely that it is simply a non-issue. And as stated in the hashing algorithm requirements, there’s no way to know how to pick an input value that would give you a specific hash value.

9: Trust me, you do not want to dream up your own hash. You really want to leave the math involved to trained professionals. Homebrew hashes are typically cracked within seconds.


Password Haystacks – GRC.com has a great look at the password-length issue, including a calculator to play with.

Why Is It So Important to Use a Different Password on Every Site?

I keep hearing that I’m supposed to use a different password on every internet site where I have an account. What a pain! I can’t remember all of those passwords. Yeah, I know. You want me to use a password manager thing, but that seems like putting a bunch of really important things into a single basket. What if that basket gets hacked? I use a strong password, why isn’t that enough?

The hacks of several online services have brought this issue to light once again.

I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account – at least, every important site.

And yes, you must devise a way to manage them all.

Let me run down an example scenario that’s causing all of this emphasis on multiple different passwords.

Read moreWhy Is It So Important to Use a Different Password on Every Site?

Footnotes & references

10: Thankfully, services rarely store the actual password – though of course they could. (If your service can tell you your actual password, then they’re doing it wrong, and they’ve stored the password itself somewhere). Rather, they store what’s called a “hash” of the password. Depending on several factors – typically, poor decisions made by whoever implemented the authentication mechanism – it is occasionally possible for hackers to indirectly reverse-engineer passwords from hashes.

Is a Periodic Password Change a Good Thing?


I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often, and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.

Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.

Unless you get into a good routine, like when you do data backups, password changes will only get done sporadically, if at all.

Do you have a view on how to build such a good routine?

As you say, routines for things like this are difficult to set up, and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available – at least not in a convenient form.

But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.

I disagree.

Read moreIs a Periodic Password Change a Good Thing?

How Do I Change My Gmail Password?

I can’t figure out how to change my password on Google for my Gmail account.

I’ll show you.

However, I do have to point out that in order to change your password, you must be able to log in. I mean, if you can’t log in then you can’t prove that you’re the rightful owner of the account. If Google did allow you to change your password without logging in first, then anyone could change it, whether or not they were actually authorized to do so.

So, step 1: login to your Gmail account.

Read moreHow Do I Change My Gmail Password?

How do I disable remembered passwords in my browser?

Please describe how you disable the “remember password” feature in browsers. And how to clear previously remembered passwords, as well.

That was a comment posted on my article How safe is it to let my browser save my passwords? where I essentially discouraged the use of browser built-in password saving features, in favor of utilities like Lastpass.

Fair enough. Let me show you how in Internet Explorer, Firefox and Google Chrome.

Read moreHow do I disable remembered passwords in my browser?

How Safe Is it to Let My Browser Save My Passwords?

 I’ve got a quick question concerning saved username/passwords in browsers. Whenever you visit a website and need to login, you’ll be asked (depending on your browser settings) if you’d like to “save” the username/password information to make future logins easier. If you choose to do so, is this username/password information made visible to anyone who has compromised your computer when you access the website in the future? Since the fields are already filled in for you, you don’t actually need to type in anything.

The short answer is yes – if you’re not careful, anyone who walks up to your computer can access those websites as you, or perhaps even walk away with a copy of all your usernames and passwords.

There are actually several important issues around letting your browser – or any utility for that matter – save your passwords. Particularly when we advocate using multiple complex and different passwords for different sites, it’s not only important to use these types of features to keep it all straight, but to use them properly so as not to expose yourself to security issues should your machine ever be compromised.

I’ll review how these features work, and how to use them safely.

Read moreHow Safe Is it to Let My Browser Save My Passwords?

Footnotes & references

11: AKA “the cloud”.

Why Is It Important to Have Different Passwords on Different Accounts?

Is it safe to have the same password for all of my email accounts? If one has an account in Yahoo! mail, Gmail, rediff mail, etc., and sets the same password for all of them, will it be easier for a hacker or phisher to find out about it?

Using different passwords is much safer than using one password everywhere. In fact I’ll say it’s critical these days.


Because hackers know that most people don’t take the trouble to set that up.

And they know that we typically have more than one account.

Read moreWhy Is It Important to Have Different Passwords on Different Accounts?

Why do I need to change passwords after HeartBleed?

You may have noticed that I didn’t jump on the HeartBleed bandwagon last week. I’m not a particularly reactive person, I’m not prone to panicking, and I felt that there was simply too much that wasn’t known about the ramifications of the security issue.

Now that things have settled down a little, it’s time to take a calmer look at what happened, to learn what you need to do, and to answer the most common question about HeartBleed: why?

But first things first: it’s not on your machine. In fact, it doesn’t affect your machine at all. This is all about the servers that you access on the internet.

Read moreWhy do I need to change passwords after HeartBleed?

Footnotes & references

12: Sadly, we can’t say “all a’twitter” any more without implying that Twitter was the only place where the alarm was raised.

Is It Safe to Stay Logged in to My Password Vault?

I have and use KeePass with Windows 7. I open KeePass in the morning and I leave it open all day. Does this make it unnecessary for malware to determine my KeePass password in order to see my password file? Is keeping KeePass open a security risk? 

This is an interesting scenario and the answer really boils down to “it depends”.

I use LastPass, a KeePass equivalent. I keep it logged in all day …. and again, I don’t.

Read moreIs It Safe to Stay Logged in to My Password Vault?

2013’s Ten Most Popular Posts

This year marked a bit of transition for Ask Leo! as we began a technology switch from Movable Type to WordPress. As a result, the numbers may not be quite as accurate as in years past (a page that was moved from one to the other might not be appropriately represented), but the overall standings are interesting nonetheless.

Read more2013’s Ten Most Popular Posts

Footnotes & references

13: For many years, the #1 (and often #2 and #3) question on Ask Leo! related to recovering Hotmail passwords – so much so that Hotmail passwords became a running joke among my friends and family. This is the first year that Hotmail (or now Outlook.com) passwords haven’t cracked the top ten.

Why are sites making it difficult for password managers?


Following your advice, I use a password manager so I can use long, secure passwords and simply copy-paste into websites. Recently, however, it seems more sites use a technology that prevents this. The temptation now is to use shorter passwords, making them less secure so copying and typing them is easier. Why are sites doing this?

I haven’t seen a site that actually prevents pasting a password in the Password field, but I definitely have seen sites that either intentionally or unintentionally make password managers more difficult to use.

It’s backwards thinking, if you ask me.

Read moreWhy are sites making it difficult for password managers?

Will locking my computer prevent scheduled and autorun programs from running?

Hi, Leo. Will autorun programs be prevented from running if I lock my computer so that it can only be opened with a password? Specifically, will Macrium’s scheduled backups be prevented from running if I lock my computer?

Macrium will run just fine. As for any autorun programs,… well, it depends.

Read moreWill locking my computer prevent scheduled and autorun programs from running?