What if your email got hacked? Here is what happened recently to Mat Honan:
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
The hackers erased all Mat’s digital photos and home videos of his young daughter, and his online backup of them. (The good news: after a lot of effort and money, he managed to get them back. Most of us would not have been able to do that.)
Your email account is a gateway to the rest of your digital life. Those ‘email me a new password‘ links on most websites are pretty darn useful when you have forgotten your password for Paypal; but not so good if the bad guys are in your email and intercepting those handy-dandy password reminders.
The typical person reading this blog uses about 30 different websites, but I bet you only use two or three different passwords (if that). So once the bad guys get your password to one website, there is a good chance that the same password will also work somewhere else. LinkedIn recently confirmed that hackers had got hold of a database of 6.5 million passwords: armed with those usernames and passwords, the bad guys will have been able to get into a lot of other, more important websites such your office system or online banking.
What’s more, the bad guys are getting quite good at cracking passwords. Those clever things you do to make a password hard to guess – like replacing an “E” with a ”3” – they know those tricks too. (Breaking news: some burglars also know that some people leave on their lights at home when they are out.) Tricks like this are mainly useful if you are the only person who knows them.
So what you can you do?
If you have a Google mail account, you should set up your account recovery options to include your mobile phone number. This won’t make it harder for someone to hack into your account, but it does increase the chance that you will be able to get control back if they do. This is a no brainer. Do it now.
Now make a resolution to use different passwords for different purposes. I am not saying you have to use a different password for every website: nobody is going to remember 30 different strong passwords. I don’t think it is a problem to use the same password for LinkedIn and Facebook. But you should reserve unique passwords for your email and for online banking, and then use some different passwords for everything else.
One way to handle multiple strong passwords is to use a password manager such as LastPass – this is free software which works automatically with your web-browser and (in the $12 a year version) your mobile phone. It sets and stores a strong password for every website, and you just have to remember the master password for LastPass. This enables you to have a separate, complicated password for every website, and you won’t have to remember any of them.
Two factor authentication
An even better way to keep out the bad guys is to have a second hurdle, in the form of two-factor authentication. The principle is simple. Getting in to a website requires something you know (your username and password) and something you have (such as your cellphone or a dongle). Bad guys may crack or steal your password but they still will not be able to get in unless they also have your phone. You may already use something like this for online banking or for accessing your office network.
The only major webmail service to allow you to use two-step authentication is Google mail. If you have a Gmail account, you should seriously consider turning it on to keep your mail safe. When you log in to your account from any new computer, and every 30 days after that, you will need to enter a verification code which you receive as a text message on your mobile phone. So even if a hacker has your username and password, he or she will also need your mobile phone or your computer to get in to your mail. Setting up two factor authentication on Gmail is a little involved, especially if you access your Google account from many different devices. But the hassle is worth it if you want to keep your mail account secure.
If it makes you nervous to store all your important passwords in LastPass, because your master password could be compromised, you may like to know that you can also turn on two-factor authentication in LastPass. (A hacker would need access to your mail to turn it off again, which is why you should keep your email password secure. You get the picture.)
Hey, you! Get off of my cloud
Storing everything in the cloud is fantastically convenient, and it provides a backup if you lose your computer or phone. But if all your personal data is in the cloud, you need to take some simple steps to keep it safe. Here is a checklist: