As many of my email correspondents are aware, my personal Gmail account was recently hacked. I still have no idea how this happened. I am not in the habit of clicking on email attachments or browsing strange websites, and I use an extremely strong, long and hard-to-crack password. Yet despite practicing an almost paranoid level of online personal security, my account was still hacked.
Luckily, I was made aware almost immediately. Unluckily, I was sitting in a taxi at the time, heading toward a four-hour train ride, followed by a two-hour car ride, and panicking that I couldn’t do much about it. Back to the luck side—the train had Internet access, so as soon as I settled in, I set out to minimize the damage and maximize the apologies. I think I did a pretty good job at both, but the embarrassment continues and my security paranoia has increased dramatically.
I’ve spent a lot of time thinking about how my account got hacked but haven’t come up with any answers. The bottom line is this: You can’t let your guard down online, no matter what. I was lucky my account wasn’t taken over completely—I could still log into it, change my password and ensure that none of my settings were changed. Other people haven’t been so lucky.
I’ve changed a few of my habits since that day and have considerably beefed up my approach to password safety. In addition to basic password safety—sufficiently secure passwords, not shared with others or written down and stored in obvious places—here are some additional steps you can take to increase your online safety, too.
- Don’t login to any non-secure online accounts from public Internet hotspots, unless you really aren’t at all concerned about your security.
- Don’t stay logged in to your web-based email while browsing the Internet, especially if using an unknown Internet connection.
- Never put your password in an email.
- Create secure challenge questions—your mother’s birth name or your pet’s name or similar are never sufficiently secure challenge questions and answers.
- Ensure your password recovery email address is current.
- Don’t use the same password for multiple accounts. If one account password becomes known, all your online accounts will be vulnerable.
- Check sent email for unusual activity.
- Periodically change the password for your most sensitive accounts.
- Never, ever use your network logon password outside the office network.
- If you use Gmail, use its two-step authentication process.
- Use 10 characters instead of 8 (the default)
Because you can never have too much information or too many warnings, below are links to two stories that will stop you and make you think (and then make you update and strengthen your passwords). The first shows how easy it was for the Hollywood Hacker to take over celebrity email accounts. The second is a sobering account by journalist James Fallows about the hacking of his wife’s Gmail account, and the fallout.