Email addresses these days can be like passports to all the different areas of your online presense. A Google account can link up to your calendar, applications, social media profile, online storage and much more. And then of course there's your emails themselves - how many different accounts with amazon, ebay, facebook and the like does your email address act as the gateway to access? The point I'm leading up to here of course, is what happens when someone steals your password and gains access to that email address? Hacked email accounts and identity theft are all too common these days, and being a victim can cause you all sorts of problems. For developers, email addresses can also open up access to domain and hosting accounts, how much damage could a hacker do to your sites if they stole your email password?
Enough scare mongering... you get the point, so what can we do? I'm going to take a look some steps you can take to protect yourself, and for the Google account users out there how to use their 'two-factor' authentication to really lock your account down...
So first things first. To understand what we need to do to protect ourselves, we need to understand how the bad guys are getting in to start with. This list is by no means comprehensive but should give you an idea of some of the common techniques that are used, then we can take a look at how to prevent them.
One of the most common methods of password cracking is what's known in cryptography as 'Brute force' which basically involves a computer (or several) rapidly making multiple attempts to essentially 'guess' your password. Sounds unlikely right? You'd be surprised. With modern day computing power this method can actually be highly effective. In a recent experiment by Ars Technica 14,800 passwords out of 16,449 with passwords up to 16 characters in length with mixed letters and numbers were cracked in hours. Over 10,000 passwords were cracked in the first 16 minutes. Is your password more complicated than 'qeadzcwrsfxv1331'?
I've worked in several environments where through poor storage methods I've happened to have the opportunity to see large number of employee passwords. You'd be amazed by the number of people with a password of 'password', '12345', 'letmein' and other variations. Then there's firstname.lastname@example.org who thinks a password of j0hn with a zero isn't going to be in the first 10 things a cracker would try to get into his account, or the cat name that everyone knows about on facebook. Obvious passwords make it incredibly easy for people to gain access to your account. Developers are in part to blame here, a good system should enforce more complex passwords to prevent them being easily crackable.
How safe is the computer you're using to login to your account? If you're using public Internet cafe as an example you've no idea what's been installed on that machine. A key logger for example can track everything you type without you even knowing, so when you type email@example.com followed password123, it won't take a genuis to work out how to get into your account when they view the logs.
Sites not using 'https' or secure http mean that the information being sent from your browser won't be encrypted before it is sent to it's destination. Spoofing WIFI access points or connecting to unknown free WIFI points can allow hackers to view and log the data that is sent from your device, if you're not using a site with https the data isn't encrypted making it easy for them to steal your credentials.
The concept of 'Social Engineering' is to psycologically manipulate people into revealing confidential information until they have gained enough that will allow them access to your account. This will often involve contacting the company storing your account directly and impersonating someone else. For this reason it's important not to reveal information that would be useful for other people to use.
Phishing involves fraudently trying to obtain confidential information. At some point you've probably seen an email from a bank that you may or may not be with asking you to visit their web site for some falsified reason. Click through to the site and it may appear the same, but look a little closer and you may note the web address isn't what it should be, and the site is infact a replica designed with the specific intention of collecting your credentials when you try to login.
Number one on the list - get yourself a secure password! Try and apply as many of the following as you can:
The more complex your password the harder it is for the previously discussed 'Brute Force' cracking to be effective.
If you think it will be difficult to remember a completely random string of characters for your password, try taking a couple of dictionary words and mixing them up by replacing letters with numbers, then add an additional few numbers or special characters to the beginning and end.
If you're not feeling creative check out this secure password generator tool to do the hardwork for you.
As mentioned previously, data can be logged with key loggers or tracked over unsecure connections. Don't access your accounts from untrusted or unknown networks. If using public wifi, make sure the account you're accessing at least uses https.
Different email providers will provide different options for optimising security, Google for example offer 'two factor authentication' that requires a code from your phone in addition to entering a password to gain access to your account. Check the help for your provider to see what they offer.
This one's a no brainer. Make sure you've got appropriate software to protect your computer, this means antivirus to detect malicious software like key loggers and a firewall to control incoming and outgoing traffic.
Companies never ask for your password. If you get an email asking you to log on to your account to confirm something, check that the web site you're on has the security icon in your browser and that the URL is consistent with the company you were expecting. Most major email service providers do a good job of blocking the majority of your spam emails.
Hackers can find out more about you that you'd think, so try not to give them an easy ride with the security questions, try and choose something only you know.
The more information you make available the easier it is for people to use techniques like social engineering. Date of birth is a common question asked by companies as a form of authentication but is also one of the easiest pieces of information to obtain - does your facebook account reveal your date of birth?
You know when you click 'save password' so you don't need to type it in next time? Most browsers will store that password unencrypted. What does this mean? It's very easy for anyone else who can gain access to your device (or a device you previously used), to go into the settings and read all your plain text passwords.
If you use the same password for everything then needless to say a hacker only needs to break one of your accounts to have access to them all. If you find it hard to remember a hundred and one passwords for all your different accounts, try adapting the same password for different systems (e.g. adding a word to represent the site you're on, so mypassword for ebay could become mypasswordshopping).
A lot of security experts recommend regularly changing your passwords, many software systems even enforce it. The reasoning behind this is that compromised passwords in bulk may not be used straight away but instead sold on as part of organised crime. If this is the case, regularly changing your password might mean it's switched before they even get a chance to use it. Another reason is to prevent slower Brute Force attacks, if a computer is making multiple attempts at your password over a long period of time (i.e. weeks or months), changing your password potentially means you're switching it half way through it's password list, thus making it ineffective.
Personally, I'm not completely sold on these points. I think the inconvenience of these regular changes probably doesn't outway what are probably less likely scenarios. What does make me think twice however is the worrying frequency that large companies keep losing our data, Adobe being one of the most recent victims.
Gmail user? Google offers the added security feature of 'two factor' authentication which requires a code that is sent to your phone in addition to your usual password. Obviously this could be considered quite an inconvenience but does add lot more security to your account. If you're interested in how this works and implementation you can read more here.