Understanding Email Password Hacking
Introduction to Email Password Hacking
Before we get started you can rest slightly better knowing that hacking doesn’t work like Hollywood makes it work. The truth is that email password hacking takes much more time and is fairly boring in practice. The most likely abuser is just a spammer looking for emails to use in a botnet.
Regardless, you do want to protect your email password from these people and also protect your contacts and private information from entering the wrong hands. In order to understand how to protect yourself, I’ll cover the basic methods of email password hacking and then cover the best methods of email protection.
Email Password Hacking - Password Cracking
This is the method that is always shown in the movies. Someone can pull up the login screen, pull up a little program and then run through all available passwords in a few seconds and find their password. Naturally this isn’t how it really works.
This method is called “brute force.” It runs through all possible passwords. It’s like trying to open a combination lock by going “1-1-1…1-1-2.” Note that this can take a really long time unless they have a very powerful network. There are ten numbers and 26 letters that can be used along with a lot of symbols that can be thrown in. Passwords generally have to be 8 characters or more. Ignoring the mess that symbols create, it would take 36^8, or 2,821,109,907,456 attempts to go through all available combinations. So yes, it will take awhile to actually do this unless they’re using a few supercomputers, in which case you’d be far below their radar. They would also have to be careful to not have their IP address flagged for a high number of attempts. It’s not uncommon for a site to just lock an account down after a few failed attempts in a short period, since it just assumes that a crack attempt is occurring. Again, a botnet can overcome this, but people with such a network usually have more important things to do or lucrative jobs stopping hackers.
There are also programs that just run through the dictionary. They’re much quicker but they can fail as long as you throw a number into the email password.
Naturally there are some exploits that come out that allow a quick hack. Sometimes source code is compromised too. Thankfully any good email provider will try to stay on top of these security exploits and close them as quickly as possible. The truth is that email password hacking is usually due to more mundane and non-hacking methods.
Email Password Hacking - Malware
If you’re wondering about the most likely culprit for hacking someone’s email password, then it’s probably just standard malware. There isn’t much of a trick to this either. Malware can get onto a computer through the user downloading a malicious program without realizing it. It can also slip onto the computer through exploits in browsers, usually through loopholes from viewing banner ads and pictures. If the user has malware protection in place then it will hopefully be caught.
If not, the malware might capture some information. Trojans and keyloggers are both able to do this. A Trojan acts as a backdoor and allows another person to hijack a computer. This can let them simply log onto the email and change the password or steal it as if they had physical access. Keyloggers just record information and broadcast it to their master. They then read through the captured information and look for login information. Usually they’re interested in things like Paypal or banking information, but an email password can be a good starting point.
It is also possible that malware will directly raid browser caches for stored passwords.
Email Password Hacking - Phishing and Social Engineering
I won’t go into as much detail with this because we have plenty of specialized articles on phishing. In fact, another writer just produced an article on avoiding Gmail phishing. Those tips will work will for protecting yourself. Basically, phishing is just an impostor trying to trick you into handing over your login information. The usual method takes the form of “Your Account May Have Been Hacked…To Unlock It Give Us This Information.” This is probably one of the most prolific methods of “hacking” someone’s email password. They just give it to the scammer and don’t realize it.
Social engineering can be a little different. Phishing is one method, but it covers all creative methods. For example, a lot of people sign up for a website with their email account and then make a password to log onto the site. If you use the same password for the site as for your email, then an unscrupulous site can sell the information or hack the email themselves. Worse, if the website stores your password on their server, then a hacker could get their hands on thousands of emails and potentially email passwords by getting into the server of the less secure site.
Finally, the email hacker can just “recover” the password. A lot of people use security questions that aren’t actually secure. Let’s just take a look at Sarah Palin. You may have already heard about this. She used a Yahoo email account for a lot of private communication. In 2008 it was hacked and a number of her emails and the email addresses of her contacts were released. The real hacker (who was eventually charged for his role in it) explained that he didn’t do much. He just had to answer her security questions. To do this he only had to type in her birthday, her zip code and where she met her husband. This required him to use wikipedia for the birthday, USPS.com for the zip code and Google to find an interview where she mentioned meeting her husband.
Security questions need to actually be safe.
Email Password Hacking - Protecting Yourself from Cracking
Let’s take a look at how you can defend your email password from hackers.
First, beating an email hacking program is easy. Use a strong password and a long password. If you have trouble remembering them, you could use something like Keepass (I believe it will also autogenerate a truly random password) or keep a small notebook in your desk drawer. If you want an idea, think of a movie/show/animal/actor that you like and a related number. You could also use a foreign word. To an American hacker, it should look random. Put the numbers in the word, like this - te1st0pass. If you want to be really sure, add a symbol where it would make sense to you. For example, you could make it [email protected]$s. That’s probably going to be far too annoying to be worth their time.
Try to keep at a least few different passwords. It doesn’t matter if you have a super password that can’t be brute forced. Using anything besides “password” will do that. If you use one password for everything and it is phished or stolen from an insecure site, then they have access to everything. Worse, if the password is even feared to be stolen, you’ll need to change everything.
Also, in the event of a site compromise, just stay alert. Check your sent email folder for any spam being sent from your address through the program and see if the site offers a way to check the latest IP addresses of logins. Gmail offers this at the bottom of the page. They should all be recognized as yours.
Email Password Hacking - Protecting Yourself From Malware
This isn’t too hard. We’ve got more articles than I count on the best free spyware protection and the best free antivirus protection. Just search around a bit to find some good software for getting malware and viruses off your computer. There’s even an entire article on proactive virus protection to keep your computer shielded.
Just install one of these, get it running, set up automatic updates and search and then enjoy your relative safety.
Email Password Hacking - Protecting Yourself from Social Engineering
Protecting yourself from phishing is easy. Always pay attention to the details in your message to see if it’s a phishing email and never give out your personal information or login information away. Chances are that anyone supposedly requesting it would already have it.
Social engineering is a bit harder. You should just make sure that your security questions are actually secure. Don’t use something that anyone can figure out. I absolutely hate the fact that banks and utilities seem to think that the town where you went to college is a secret. They apparently don’t know about Facebook. You probably have the same problem with something like a pet’s name or a school mascot.
If you can, just make a personal passcode (or series of passcodes) and use them. They won’t really care if you’re lying, so feel free to mix it up and give a “wrong” answer (although you need to remember that you did this). If they let you make your own question, do so. Make it a little keyphrase that will remind you of what you wrote. For example, I know about someone who always uses “What’s the sound of a red bird walking” as his secret question. The answer is “a blue duck quacking.” Yes, that makes no sense to anyone but him and it’s a perfect secret answer (and yes I altered it a bit for this article and I follow my own rules).
If you also follow these basic rules, then you should be able to prevent email password hacking attempts.
All images courtesy of Morguefile.com