Everyone knows that one of the most common sense things you can do to make your home secure is to lock your doors and windows before you go to bed or when you are away from home. But surprisingly, many people fail to lock the front door securely when it comes to their email accounts.
I previously discussed making your online life more secure by using more secure passwords. In that article, I pointed out the top 25 Worst Passwords that you can use, but I still regularly find people who choose to use an easy to remember password rather than a secure password.
As an email host provider, I see email hacking attempts everyday and the one thing they all have in common is that their success is directly dependent upon users who use weak passwords. Hackers are smart and they pay attention to what works.
For example, have you ever wondered why you still get emails from Nigeria that want you to funnel money out of the country, but you have send them $199 to get the process started? The reason you still get those sorts of email messages is because they work! There are still people out there who fall for this scam every day. And as soon as this scam begins to provide no rate of return, the con artists will come up with another scam just as profitable.
Hackers are no different. They find something that works and they stick with it. I freely admit that I have struggled with the prospect of posting the information that I plan to include in this message, but at the end of the day, I would rather post this information and perhaps make email hackers change their strategy than to withhold key information that can make you safer online.
So, I guess the first question you might have is “Why would anyone want to hack my email account and what does ‘hack’ mean any way?”
The word “hack” is a term that has always meant obtaining access to systems you do not have permission to access. Back in the day, hackers would gain access to the telephone company computers via the telephone in order to make long distance calls for free. With the birth of computers connecting via telephones, the goal was to gain access to mainframe computers for prestige, bragging rights, or pure greed.
In the 1980’s and 1990’s, there were three movies made that glorified or at least put Hollywood glamor into hacking: 1983’s “WarGames“, 1992’s “Sneakers” and 1995’s “Hackers.” All of which are very entertaining movies and I can highly recommend any or all of them if you want a date night at home with your sweetheart and big bowl of popcorn. However, each one of them in their own way glorify hacking in ways that simply are not grounded in reality. Hacking is not sexy and it certainly isn’t glamorous. It may have started out with white-hat hackers (those that intended no harm) and black-hat hackers (those who intended break and steal things), but as far as I’m concerned all hackers today are interested in one thing and one thing only: money.
An email hacker wants to gain access to as many email accounts as possible to:
- Send vast quantities of spam emails to generate sales for shady products
- Send vast quantities of phishing emails to gain access to electronic accounts such as email, eBay, or others.
- Generate traffic to various websites to increase their click-counts to earn more link affiliate money.
- Deliver viruses to computers in order to take control of those machines and use them to do all of the above.
So, now that you understand the motive; how do you lock the front door to your email account and possibly prevent your identify being stolen? It is actually pretty simple. You’ve got to learn how to work the lock!
Learn How To Work The Lock
The first step to securing the lock on your email account, is understanding what a lock that is easy to pick looks like. I provided a list of the worst 25 passwords in an earlier post. But today, I want to show you what a hack attempt really looks like and the passwords that an actual hacker used on a non-existent email account on our server. Just for the record, our server is configured to automatically detect break-in attempts and shut down those accounts under attack. In this case, since the hacker was going after an account that didn’t actually exist, we were able to track the complete attack.
The attack started at exactly 5:00am and was over by 5:11am. In those eleven minutes, the hacker tried 367 combinations of passwords and different variations of the email account. (For the sake of this article, let’s assume that the email account being attacked was email@example.com.)
Here’s a list of unique passwords that the hacker used repeatedly:
There are several things we can learn from this list:
- Who knew that hackers understood ∏?
- The number patterns are fairly obvious, but if you are going to use a password that is all numbers, be sure to use a unique number that isn’t known to everyone, ie: see #1.
- Note that there are several of the 25 worst passwords being used by this hacker. Proof once again that those passwords are terrible choices and perhaps proof also that the list of the 25 worst are actually used.
- The individual names like daniel, jessica and michael surprised me at first, but upon reflection, the only reason I can think that this hacker is using these names is that they are very popular names and therefore might be the name of the owner of the email account, one of their children or grandchildren.
- The most interesting grouping are those passwords that start with the word “bubba.” Remember that we said earlier to assume that the account under attack was firstname.lastname@example.org. (We replaced the actual email account with bubba to hopefully confuse any future hackers.). The “bubba” series is actually everything to the left of the ‘@’ symbol along with every year from 1961 to 2013. The idea is to combine the name of the email account with the birth year of either the owner of the account, their children or their grandchildren.
The method of trying a series of passwords repeatedly is called a dictionary attack. The hacker has compiled a list of passwords that have been successful in the past, and they are constantly refining and changing their dictionary of passwords on the basis of what works. To make matters worse, hackers communicate with each other via the internet and share their dictionary of passwords with each other. So, while you might consider updating your password once in a blue moon, a hacker is refining his list of passwords daily if not hourly.
Ultimately, the key to securing the front door of your email account is to try to think like a hacker. A hacker depends upon the average person picking the first password that comes to mind. A child’s name, or a birthday. All you have to do to frustrate a hacker is to choose not to play his game. And it really doesn’t take much to make a hacker decide to move along to someone else, just make his job as hard as possible.
Want to use a birth date in your email password? Just choose one of some famous person or an ancestor born 200 years ago. Do you remember the date of your your first kiss, or the birth of your dog, or even the death date of a favored relative? Then feel free to use them, but break up the numbers with letters in-between. Or better yet, reverse the date instead of using 01/01/1998, try inserting letters like “d89C91b10A10”.
You can even use an ancestor’s middle name as part of your password as long as it was unique enough. For example, my grandmother’s name was Ethel Odie. No way to forget that name! And, no, I don’t actually use that name, but it makes my point very well.
Here’s a good rule of thumb: If you want to use any thing for a password that someone might find on Facebook or MySpace or a personal webpage or the yellow pages or a church directory, forget it and try something else. For example, your address is not a good starting point, but perhaps address of the hospital where you were born might work.
Here’s another good rule of thumb: Create a password for your email account and then throw it away and pick another. Rinse and repeat several times. By the time you’ve created your fifth or sixth unique password, you’ll probably have a pretty good password.
The trick is to create a password and then try to think like a hacker. Don’t assume that a cute password is secure, in fact, you should assume that a cute password can be broken faster than any other. Pretend that your email password is just like the front door to your house. Do you have a deadbolt on your front door? Then, create a password that is as secure as the deadbolt on your front door.
A really good password should have the following traits:
- It should be at least eight (8) characters or digits long. In fact, the longer the better. I’ve heard of some people using software on their computer that allows them to generate random passwords with lengths of 50 characters or more.
- Your password should contain a mix of letters and numbers.
- Your password should have at least one upper case letter.
- A great password includes symbols like #*$)( or !.
Create a password with all of these traits, using information that is not accessible to anyone or published anywhere and you’ll be well on your way to locking the front door of your email account.