I woke this morning to my smartphone telling me there was a log-in error for an email account I have. Thinking it was just a glitch or network error I retyped my regular password only to be greeted by the same box asking for my password on my phone.
I did this a few times and then decided to get on a computer to check things out because I thought I might be mistyping the password on the phone’s virtual keyboard.
When I tried to log into the account at the computer, I was greeted with a security screen saying there has been ‘unusual activity on your account’ and my account was locked, and they had other information to verify my identity to unlock the account, and since my cell number was actually stored there I opted for the unlock code to be sent to my phone since I was physically in posession of it at the time.
After I went through the process of unlocking my account, I logged on and discovered that my account had indeed been hacked, while no damage was done (I no longer store my address book online with this account) an attempt was made to send emails with a webpage link to a few addresses that had previously sent me an email, most of which were invalid, and I had 15 bounced messages from this attempt.
Luckily I actually exported, then deleted the address book on this hacked account earlier this week as I was combining that address book (which only contained about 50 valid email addresses) with one from another account, and removing duplicate information.
I immediately went online and changed the password for each account I had on my phone, as well as others. I also changed the security questions and answers, and updated the email address that can also be used to unlock the account.
At work we have to change passwords every 45-60 days depending on the application including for the Exchange server for email. I recently had to change one, and they require a password of at least 8 characters, and it must include letters (with at least one being uppercase), numbers, and a special character, such as the dollar sign ($).
I haven’t changed the password for this personal email account in a while, which is a bad practice I know, but I also never thought something like this would happen to *me*.
I have been using an application called KeePass, which will generate passwords for you as well, I do recommend it. I also recommend creating a strong password, using uppercase, lowercase, numbers and special characters if possible.
A good way to come up with a password is a memnonic, and it’s actually what I recommended to my dad recently when we were securing his wireless network at home, I’d noticed he had an ‘open’ network connection, so I discussed it with him and my brother-in-law and to make it easy for my dad to remember we came up with a memnonic for him that he could easily remember if he needed to log in as admin to make changes to the wireless setup.
What you would do is come up with a phrase or saying that’s easy for you to remember but harder for someone to guess, and add the extra elements (like numbers and special characters) someplace in the password.
For example, your phrase could be “I have a yellow ford explorer with a moonroof” Your password could then be something like “IhaYFewAm90$”. You should have a few phrases like this that you can use to create passwords from.
The longer the password, the better, and DO NOT write it down anyplace, I’ve seen people put it on post-it notes and stick it to the inside of a drawer, stuck to the monitor, desk or someplace around the computer.
I would also protect bank PIN numbers in much the same way, and change them regularly, some banks now require at least a 6 digit pin, but it can be anything from 4-10 digits that I’ve already seen. Again, the longer the better, but don’t choose something easy for someone else to guess (like a child’s birthdate).