Secure Your Online Email

Third In A Series: A recent post featured true stories of people who had their email accounts hijacked, and what happened to them as a result.

A follow-up explained how webmail services like GMail, Yahoo Mail, and Hotmail can be exploited by using the password reset feature.

A hacker without any sophisticated skills can burglarize a web-mail account by using the same password reset feature that is provided for the legitimate user who forgets their password.

If your account gets hijacked, you’ll be locked out of your own email. You may realize what has happened, but by then it is too late. The attacker has had access to your personal information, possibly using your email address to gain access to other accounts, such as Facebook or your online banking.

There are three simple things you can do to improve the security of your web-based email. Let’s take a look at how to make the password reset feature in Yahoo Mail more secure.

(We will examine the features of Yahoo Mail; other popular web-based email has similar features.)

When you create a new Yahoo Mail account, you are asked to provide:

1. An alternate email address (optional) and
2. Answers to 2 “Secret Questions” (required)

Do you remember when you created your web-mail account?
Were you were in a hurry (like a lot of other users) to use your new email account?

Maybe you didn’t take a lot of time to fill in the required information. If so, you should go back to your account settings and strengthen your password-reset info:

1. Create your own personal secret questions
2. Set up an alternate email account
3. Use your mobile phone to provide yet another layer of security

Step 1: Get Rid of The Secret Question

The “secret question” is probably the weakest link in protecting your online email. Many of the secret questions do not provide much security to a reasonably well-informed attacker. Here is a list of Yahoo’s standard questions:

Where did you meet your spouse?
What is your oldest cousin’s name?
What is your youngest child’s nickname?
What is your oldest child’s nickname?
What is the first name of your oldest niece?
What is the first name of your oldest nephew?
What is the first name of your favorite aunt?
Where did you spend your honeymoon?
Where did you spend your childhood summers?
What was the last name of your favorite teacher?
What was the last name of your best childhood friend?
What was your favorite food as a child?
What was the last name of your first boss?
What is the name of the hospital where you were born?
What is your main frequent flier number?
What is the name of the street on which you grew up?
What is the name of your favorite sports team?
What was your first pet’s name?
What is the last name of your best man at your wedding?
What is the last name of your maid of honor at your wedding?
What is the name of your favorite book?
What is the last name of your favorite musician?
Who is your all-time favorite movie character?
What was the make of your first car?
What was the make of your first motorcycle?

In many cases, these questions could be guessed by an acquaintance, co-worker, or anyone with access to basic information about you. A much better choice is to write your own secret question.

When you write your own secret question, make sure that it cannot be guessed easily. Here are some very bad secret questions…

• What is my dog’s name?
  (Hopefully your dog doesn’t have one these names.)
• What is my favorite color?
  (Unless it’s something like gamboge, it isn’t going to be too hard to guess.)
• Who was president when I was born?
  (Obviously, you don’t want to use questions like this!)

So what kind of question should you use? You want to choose something that has many possible answers but is easy for you to remember. Yahoo recommends: “Make sure your answer is private, memorable and does not change over time.”

If at all possible, just memorize a short word or phrase. As long as it’s not too obvious, you could use a favorite book, quote, or song title, etc.

Think of a sentence like: “My favorite book is Gone With The Wind.” That can converted to MFB=G@TW. In other words, it’s sort of like a second password (but note that Yahoo’s secret questions and answers are not case sensitive).

Don’t give many clues it in the question itself.  You might have something like this:

Step 2: Add a Backup Email Address

Although it is not required, you should configure another email address to be used to reset your web-mail password. (Here’s a suggestion: Do not configure two email accounts as password-reset addresses for each other. If one of them is hijacked, then the second is vulnerable too.)

Choose an email address that you will have access to in the future, and that you do not share with anyone else.

Step 3: Enlist The Help Of Your Mobile Phone

One of the best ways to secure your email is to add your mobile phone number to your password recovery options. If you do, and you forget your password, you can receive text message with a code to change your password.

Conclusion

Eliminating generic “Secret Questions” is the first and most important step to securing your online email. If you have chosen a strong password that you will not forget, and configured your mobile phone and your backup email account just in case, you don’t really need the Secret Question option at all.

If you prefer to eliminate that password recovery option altogether, you can do that as follows:

1. Choose any of the generic Secret Questions
2. Type a lot of junk in the Answer box
3. Hit Save
4. Forget about it …Now you don’t know the answer to the secret question, and neither will anyone else
5. Use the other password recovery tools if needed.

Just be sure that you have your backup email address and mobile phone number added BEFORE you perform the steps above!

Coming soon:
Generate a strong password that’s easy to remember and hard to forget!

More:
Image: Lock by AMagill
TechCrunch: RockYou Hack: From Bad To Worse
net-security.org: Analysis of 32 million breached passwords
Jimmy Ruska: Most common passwords list from 3 databases