December 27, 2012

Keeping your email secure from hackers

I’ve helped a few people deal with hacked Gmail accounts recently, so I wanted to write up some general advice on keeping your email account secure and what to do if your account is hacked.

  1. Use a strong passphrase. We’ve been trained by draconian IT departments to use passwords that are difficult to remember but easy for computers to guess through automated trial and error (the technical term is “brute force attack”).

    It turns out that adding a few numbers and symbols to a short password don’t make it any more secure against a brute force attack. So instead of a password like “4m3r!can” use a passphrase of memorable nonsense, numbers, and punctuation words like “47 American hashbrowns basic tree?”.

  2. Use a unique passphrase for your email. If you use the same password on other websites and one of those sites is hacked, your email account could be compromised.

  3. Check your password recovery settings. Easy-to-guess password recovery questions were to blame for Sarah Palin’s hacked email. Don’t use questions like “mother’s maiden name” or “date of birth” with answers that are available in public records. Make sure that your secondary email address is current and properly secured.

  4. Don’t use free email accounts that expire automatically if you don’t log into them frequently enough. This could allow a third party to take over your expired email address and then recover passwords for other sites where you signed up with this address.

    Gmail will let you keep free accounts indefinitely at the time of writing. Fastmail offers a $5/year account that won’t expire.

    This advice could be extend to don’t use free email accounts. I would recommend paying for an account that includes technical support.

  5. Always use HTTPS and don’t sign in on public computers. Most email providers default to bank-level security (HTTPS), but even if they do you should avoid signing in to your email account on a public computer in case it is compromised.

  6. Use Google Chrome. Chrome updates automatically in the background and is generally more secure than the alternatives (Mozilla’s Firefox, Microsoft’s Internet Explorer, or Apple’s Safari).

    Also be aware of any third-party plugins, toolbars, or extensions you install. Malicious browser addons can easily steal login information from any website you visit including your email.

  7. Enable two-step authentication. This is a free feature for any Google account. It uses an app on your smart phone or a text message sent to your feature phone to give your account a second password. This means that a hacker would have to physically have your phone in order to log in to your account even if they knew your username and password. It’s a minor inconvenience but is massively more secure.

    Fastmail offers SMS-based and Yubikey-based two-factor authentication. Yahoo! Mail also has SMS-based two-factor authentication. I don’t beleive other common providers offer this feature.

The ideal setup

I use Google Apps for my email. This is slightly more difficult to set up than Yahoo! or Fastmail because you have to get your own domain name (maxmasnick.com in my case). This isn’t a bad idea because it allows you to switch email providers without changing your email address, but it is an extra layer of complexity.

If you want to keep it simple, I recommend Fastmail. They’ve been around longer than Gmail and have an awesome interface without ads.

If you don’t want to pay for email, I recommend standard Gmail or the essentially free basic Fastmail account. With two-step authentication, of course.

What to do if you are hacked

The steps for recovering your account depend on your provider. In general, if you can still access your account you should immediately change your password. If you can’t access your account, you’ll need to get in touch with your provider (see “don’t use free email accounts” above).

You should then try to figure out how your account was hacked. The most likely reasons are: (1) you used the same password on another website that was compromised or (2) your password was stolen with a virus or other malware. To address the latter, make sure your computer and web browser are up-to-date and virus free. Google has a good guide for doing this regardless of your email provider.

Gmail-specific note

Gmail offers some additional tools for detecting and preventing malicious access to your account. In the very bottom-right corner of the Gmail inbox, you should see “Last account activity” and a link to “Details”. This will allow you to see everywhere your account is currently signed in and sign out all other sessions. If you sign out all other sessions and change your password, you should be able to immediately lock out a hacker.


Comments? Please send me a message.

Subscribe via RSS or email.