Password Algorithms: What to Do When You've Been Hacked

Share this

Last night, I was sent an email from a friend whose email was hacked. I am seeing a lot of that in the past year or 2, so I thought I would share my response to help train folks into better password habits. And seriously, I think that it would be a good practice to install the Password policy module on all your Drupal sites, to help enforce better habits for everyone. That module can be configured to force passwords similar to what I described here, and much more, such as requiring that passwords be periodically changed.

Image CC-BySA from http://gawdoflolz.deviantart.com/art/My-password-322798011

Dear (Friend),

I got those emails, it does look like it's possible that your email was hacked. You did the right thing, by changing your password. However, we need to do a few other things to try to minimize the damage.

1st, it is entirely possible, in fact probable, that they did not actually hack your computer. Identity theft is rampant, and in this interconnected world, does not even require any access to your computer.

That said, it is still possible that your computer has a virus. That would be the 1st thing to check. If you have an antivirus program, you need to ensure that it has been updated. That may require a fee, if you are using a paid antivirus program subscription.

If you do not have an antivirus program, I would highly suggest Avast, which I have been using for years. You can safely use the free version of it, as it is not crippled in any way from the paid version. You can find it at http://avast.com.

After, and only after you have scanned your computer for viruses, then you can get on with the business of securing your accounts against identity theft.

You will need to change your email password yet again, I am sorry to say. Additionally, you will want to change the security questions, which I believe that Yahoo will ask.

Treat the security questions as passwords in themselves, as these are most commonly used to hack in to an email account. That means that you should not use anything resembling what they actually ask for, such as your mother's maiden name or your 1st dog. That can be discovered with Google these days.

Next, a word about passwords. As you may have heard by now, you need to have a password that cannot be guessed. Unfortunately, that is not enough. You also need to have a mix of cases, at least one number, and a special character, such as a punctuation mark. Additionally, you need to have a different password for every account that you have.

I cannot stress that last paragraph enough. It is too easy for a hacker to get into, say an account with a forum, and use that to get into your Wells Fargo account. For instance, to use myself as an example, about 6 years ago, I accidentally broadcasted my password into a chat room, and about 2 weeks later, I got an email from a woman wondering where her Gucci bag was that she had purchased from my eBay account. It turns out that someone in Russia had hacked into my eBay account and listed about 100 fake Gucci bags.

I know that this sounds daunting, but it is necessary. Fortunately, you can use what is called an algorithm to remember your dozens of new passwords that you'll need to create. You can use that to create a new password for any site, and you will always remember it. Additionally, it will be secure for all intents and purposes.

Basically, you will choose a passphrase, modify and, and apply it to any site. For example, and please do not use this example, let say you choose "apple" as your passphrase. We will modify that to have a punctuation mark and a number, so that it will be "@pp1E". Then you would append that to the 1st 4 characters of whatever site that you are creating an account for. For instance, for eBay, your password would be "ebay@pp1E", and your Hotmail account would be "hotm@pp1E". This will make your passwords immune to so-called dictionary attacks, where they try to figure out your password by entering random words from the dictionary.

Much easier to remember, right? And for your financial accounts, I would suggest creating yet another algorithm, as an extra layer of protection.

You can apply this same idea to those security questions that you see everywhere. Basically, you do not want to actually use a real answer, because it is far too easy for a determined hacker to read about that experience in your 1st car that you posted in Facebook. Instead, treat them with the same respect as your passwords. For instance, you might create an algorithm with your grandmother's cat's name that you apply to a site's question for referring to your own pet.

Once you have done this, you should be fairly safe.

Good luck.

As a postscript, and not to deflect responsibility, it is entirely possible that your email was not the one hacked. It may have been a more intelligent hack, where someone hacked into someone else's Facebook account, for example. From there, they may have grabbed the contacts and spoofed an email from it, sending spam and making it look like it came from yours. This is a more insidious form of identity theft that is becoming more common. Still, the best defense is to secure your passwords.

Comments

siliconmeadow's picture

Good information here - thanks!

Hi Aaron,

Thanks for sharing this information Aaron - this is really important stuff. I don't consider myself a security expert, but I have made a deliberate decision to tighten up the security for my passwords. I have nearly 400 passwords in my database, none of which I've committed to memory, nor do I have an algorithm worked out to decipher or create them. I use lastpass.com and have multi-factor authentication with a yubikey to access what I need from lastpass. Also with my Google accounts, I've set up multi-factor authentication with my phone.

To the uninitiated, lastpass, yubikeys and multi-factor authentication sounds scary and complicated, but it's remarkably easy to do. On the other hand, I'm not the most skilled person in describing new technologies to n00bs in a way that makes them feel comfortable. Nonetheless, I WILL make an effort to do my own blog post to augment this sterling post of yours.

Thanks again, and keep up the good work!

Cheers,

Richard

The Society for Venturism has chosen me as the recipient of its charity for this year, to hopefully offer me cryonic preservation when the time comes. And this month, Longecity, an excellent forum for the discussion of issues related to extending the lifespan of humans, has offered up a matching grant of up to a thousand dollars to help out! So help out! Please.