Help! The news says my account is hacked!

Yahoo! recently revealed that over 500 million email accounts were compromised. This included losing usernames, passwords, and security questions with answers. Not much can be done to protect against these kinds of events. But some best practices can help mitigate the damage when an online provider gets compromised.

Take emergency steps

Before we dig into best practices, here is what every Yahoo! mail user should do as emergency steps:

  1. Change your Yahoo! password. If this was password shared among other accounts, change those too.
  2. Change all of your security questions - more on this below.
  3. Consider not using your Yahoo! email as a recovery option for other accounts. An attacker with access to your Yahoo! email could use it to reset the password on other accounts you have.

Unfortunately, the hacking of online providers happens all the time. Bitly, Comcast, AOL, and Kickstarter are just some examples. Good habits can help reduce the chance of an account getting compromised and reduce exposure when they do.

For important accounts, never share passwords

The password you use for that freemium Pandora account should not be the same password used for your online banking account. And your Yahoo! password should not be the same as the password to access your pay stub on ADP. If you have trouble keeping passwords straight, use an offline password vault solution or similar password manager.

Use a passphrase instead of a password

Individual accounts are often hacked because the password is too short or too common. Use a sentence to better protect your account. A song lyric, a statement of fact, or a favorite quote - “640K ought to be enough for anybody” - makes for a much stronger account.

Avoid using security questions

Account recovery systems often use security questions such as “What is your mother’s maiden name?” Nowadays, information like mother’s maiden name, elementary school, and high school mascot are easily searchable. Avoid using security questions wherever possible.

If I wanted to hack Buffy Summers' email, I’d simply click “forgot password” and answer her security questions. What is her birthdate? January 19, 1981. Middle name? Anne. Name of her high school? Sunnydale. Favorite hobby? Vampire slaying. And I can even find that her mother is divorced and now using her maiden name of Sutherland.

Yahoo!, which used to enforce security questions, now recommends against using them.

If you have to use security questions, consider the answer a second password

When you can’t avoid answering security questions, answer them with a non-sequitur. And to avoid confusion, keep that answer consistent no matter the question:

What is your mother’s maiden name?  640K ought to be enough for anybody

What was your high school mascot? 640K ought to be enough for anybody

What was the make of your first car? 640K ought to be enough for anybody

Avoid using your real birthday

A lot of account recovery questions start by asking for a birthdate. This information also is easily found on the internet. Doesn't Facebook tell everyone for you? Use a different day that is meaningful to you but not easily guessable like your start date on your new job, or the anniversary of your first date with your significant other. Don't use major holidays or historical events, like July 20, 1969.

Make sure your master recovery account is locked down tight... and make sure dual factor authentication is enabled

Just about every online service uses your email account to send a “forgot password” link in the event you forget your password. I stopped using Yahoo! for this a long time ago, as Yahoo! was slow to add encryption (HTTPS) and even slower to implement dual factor authentication.

Whatever email account you use as your “safe” account - that account from which all other accounts can be set, ensure it is locked down. It should at the very least do the following:

  1. Support encryption
  2. Have dual factor turned on

Isn’t dual factor a hassle?

Dual factor authentication can prevent access even if your password is compromised. Most implementations require a little setup but then are seamless. Consider these scenarios:

  • Do you ever use a public computer? Often these computers have malware capturing each keystroke.  

  • Do you ever downloading software from the Internet or click on links in email messages? Sometimes this results in a keylogger or virus getting installed and capturing passwords.

  • Do you use the same password on more than one site? Once your username and password are known to hackers, all of your account are susceptible.

Dual factor protects against all of these scenarios.

Just a few moments

Just taking a few minutes to lock down your most important accounts can make all the difference.