Sep 23 2010
How secure is your e-mail password?
Hello all! After a lengthy absence from these pages, I have returned. It is my goal to provide some helpful information to you at least weekly, and to try to keep you abreast of any current threats or trends of which you need to be aware.
In that vein, let’s talk about the security of your personal e-mail accounts. Most people now have personal as well as business e-mail accounts. Sites like Yahoo, GMail, Mail.com, Hotmail, AOL, etc all offer free e-mail with lots of storage space. It make it easy to keep touch with friends and family, get notifications from your bank or online vendors, etc. But have you ever thought about the amount of personal information someone could obtain from you e-mail account?
Some of you may remember an incident in the last election where a college student “hacked” into Sarah Palin’s Yahoo e-mail account. That incident wound up causing a lot more trouble for the hacker than for Palin, but it highlighted a serious security issue. You see, there was no real “hacking” required. The student did not crack her password or get access to her computer – he was just able to figure out the answers to her “secret” questions. You know those questions they ask you in order to “verify” your identity, like your mother’s maiden name or the name of your first pet? Well, this young man was able to guess her answers just by doing a little online research. Once he had those answers, he was able to click the “lost password” button, supply the answers and have the password reset.
Now, this weakness is not just limited to your e-mail account. I have a number of bank and credit card accounts that use the same verification method. Some are more secure than others, though. For example, my bank allows me to create the secret question rather than making me select from a list of pre-determined questions. They also do not let me change my password immediately, but send an e-mail with a link I must click to change my password. However, with your e-mail account, they can’t send you an e-mail because you can’t access your account. So once you answer the secret question(s), you can reset the password.
There is information on you available online, and the more time you spend online, the more information there is. There is a good article on CNet describing how someone intent on accessing your e-mail might go about gathering the information they seek. It is a good read, and should help you think about the questions and answers you use to verify your identity online. Are you using information about you that someone can easily look up? Generally, you want to try to use information that is not generally known to others.