Password diversity

A friend’s email was hacked recently.  I received an email with a single cryptic web link in it, and the title of the message was deceptively misleading.  Also, the email was CC’ed to many people.  All of these are obvious signs that the email account of the sender was hacked.  Here’s the email I sent the person after phoning to tell them about the problem.  It highlights one of my biggest concerns:  password diversity.

“As I told you on the phone a few minutes ago, it appears as if your email account has been hacked.

I’ve attached a PDF of the email which was sent from your account.  I recommend you change the password on your account immediately.  Use something that is eight characters or longer, and contains upper case letters, lower case letters, number, and special characters.   E.g. “Argo=BestPic.2013”

The other problem if someone has figured out your password is that you probably use the same password for different accounts.  So you should assume that those accounts have been compromised also.  Put different passwords on those accounts.

I know this is a pain in the a–.  But I contend that the biggest problem to security in this new on-line world we all participate in is a lack of password diversity.  If someone gets a password, they’ll try to use it everywhere else where they think you’ll be doing things on the internet:  Internet banking, Library accounts, University accounts, Facebook, Linkedin, Google, etc., etc.

Even if you use a strong password (as recommended above), there are some web sites and services that have security flaws that might enable someone to get at the cleartext passwords.  The only protection against that type of thing is to have different passwords everywhere you sign up for something on the internet.  For instance, I have an account with a service called “Evernote”.  Last week it was revealed that 500,000 Evernote accounts were hacked and passwords were potentially revealed to hackers.  Because my password on Evernote was unique, I didn’t worry.  I just visited Evernote and changed my password.  None of my other on-line accounts would have been compromised.”

Please note:

  1. I phoned the person as soon as I realized there was a problem.  They will want to know, and they should know if their email is hacked so they can deal with it poste haste.
  2. I explained the simplest procedure, i.e. to change the password — and to use a strong password.
  3. I explained the importance of password diversity.

(I forgot to tell my friend not to click on the link in any such email received.  In this case I think she’s smart enough to know not to do that.)

Don’t fret over the amount of email hacking that is occurring.  Do something about it.