Helping people with computers... one answer at a time.
Strong passwords are important, but they don't protect you from everything. I'll look at other ways that your account can be compromised.
I sometimes play a game online to pass the time. It's a simulation type of game but I like it. One day I logged into my account and realized that someone had changed the password and taken all my stuff. How is it possible that they've hacked my account? My password has plenty of characters, is almost impossible to guess because it sounds like random gibberish to everyone else except myself, and there are plenty of numbers and secret characters in it. Is it true that they used a hacking device or program of some sort to hack my account?
•
I can't say what could have happened in your case, specifically.
However...
I can think of a number of ways your account could have been compromised.
•
OK, you've got a great password - something like 0jrkdiGv5Q@n - something that is not going to be guessed, and certainly no current computer is going to get to in the next century by trying all possible combinations.
What else could go wrong?
-
You have a key-logger. Key loggers, short for keystroke loggers, are malicious programs that are installed and transmitted as viruses or spyware. Once your computer is infected with a key logger it could be recording every keystroke you press, and then sending that off to some central "hacker headquarters" where the results are analyzed and account login IDs and passwords are extracted. By the way, "keystroke logger" is a misnomer these days. Just about anything you do can be recorded, including mouse clicks, screen shots, and even network traffic, rendering most of the ways to supposedly "bypass" keystroke loggers completely ineffectual.
-
You logged in on a public computer. Not only can public computers be completely infested with malware including the aforementioned keyloggers, but they can also have hardware logging devices installed. Even if you scanned, you'd never tell from the software installed that your keystrokes and all that other activity might be captured by a device attached to or inside the computer itself.
-
You've been phished. This is happening a lot, particularly in online games. You receive a message supposedly from the game administrator that you need to visit a web site to gain access to some in-game bonus, or validate your account or risk being banned. When you go to that site you have to login and ... you just gave your login information to a hacker. Phishing is, of course, not limited to these in-game messages - they can be just about anything to get you to divulge your username and password.
-
Your password is great, but your security questions? Not so much. Security questions are often used to validate that you are who you say you are when you click the "I forgot my password" link when attempting to access your account. If those security questions are the all too typical simple kind like your birthplace or favorite color, my guess is that someone who either knows you or has read your profiles on social media sites can probably answer them. If they can answer them many times that means that they can gain access to your account. This varies depending on exactly how the security questions are used, but it's very common.
-
You logged in over an open WiFi connection. This could be while at Starbucks or some public location that has open WiFi. It could even be your own home if you've not enabled WPA encryption on your wireless access point. I'd be shocked if the game you're playing encrypted its login transactions, or for that matter any part of the game experience. That means that anyone within range (meaning perhaps within a few hundred feet) could "listen in" to your network conversation and see your login ID and password as they passed by from your computer to the gaming or other server.
-
You walked away while logged in and someone walked up to your computer and changed your password. Or changed your security questions. Or changed your email address associated with the account so that they could later say "I forgot my password" and "recover" access to your account.
-
You left your computer accessible. There's no substitute for physical security if someone can just walk up to your computer and start searching for things that might help them. If your game allows you to remember login IDs or passwords, those are probably accessible somewhere and anyone with physical access to your machine could conceivably find them. Even a Windows password is not enough, since those are easily bypassed or reset by someone with the proper knowledge and tools.
-
You told a friend. Sadly this happens more often than we think. Sometimes the easiest way to share something is to just let your friend (or spouse, or child, or parent, or ...) login "as" you - so you give them the password. Later when they're angry or hurt or no longer your friend they can login and change your password thereby locking you out.
-
Someone watched you login. "Shoulder Surfing", as it's known, is as simple as it sounds - letting someone watch you type in your password could be enough for them to memorize the keys you typed. It's not necessarily easy, but depending on how you type and how well that person watches and remembers, it's not an uncommon way to get a password - even a complex one.
It's great that you have a strong password - that already puts you ahead of the majority of computer users, sad to say. But it's not something that protects you from all threats. Be aware of the scenarios I've listed, and for those that you think might apply take appropriate steps to minimize the risk.
Article C4492 - October 20, 2010 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
October 28, 2010 4:38 PM
Leo
What sight in your opinion is best for e-mailing to 50+? In contacting a large group of people and not having it go to spam do you have any suggestions? I sell Real Estate in an average size market and have been a Realtor for 35 years.
29-Oct-2010
October 29, 2010 12:37 AM
Leo, a follow up on your prior response:
If you think putting garbage as an answer is not a good choice... What do you recomend?
And could you please elaborate on the reasons why?
I don't see a point in giving the correct answer to any of these questions. Most of the people I now can answer all or most of them correctly (e.g. I live in a latin american country, and my mother's maiden name is part of my full name, or, anyone who has been on my birthday parties knows my favorite food is guatita [cow stomach with peanut sauce].. etc).
At the begining I started giving unrelated answers (e.g. My favorite food is blue). But I thought that if a weak passsword is dangerous. A weak question could be hacked as, or more easily. The same goes to give the same answer everywhere.
I continued to give slightly changed responses (e.g. mispelled words, language changes, or even alternate capital letters) but I ended with too much unrelated questions and answers, that I'm sure would be as dificult to remember as "0jrkdiGv5Q@n"
So I ended putting something like "0jrkdiGv5Q@n" as a secret anwer.
My reasoning was, that if anyone hacked my account and changed my alternate email, that person would be non-stupid enough to also change my secret question, country, ZIP code, birthday, etc. If I couldn't get my account back, then why would I leave a back door open?
What's the reason to put a secret answer?
Remember your post on "periodical password change"
Please let me know your thoughts and elaborate a bit on them.
Thanks again.
Barcillo
PS: all examples are ficticious. None of my acounts have "0jrkdiGv5Q@n" nor blue as a response...
or maybe they do ;)
29-Oct-2010
November 2, 2010 1:53 AM
Leo, Barcillo's approach of inputting nonsense replies to security questions is actually quite sound, with the proviso that he is able to somehow retrieve those specific responses when needed, i.e., by storing them in a password database utility such as Roboform (your recommendation); or (my personal favorite) in
KeePass Password Safe.
"Favorite Color = Pencil" may be a tad easier to remember, but it just isn't quite as secure! :)
May 3, 2011 7:44 PM
Is there any way possible to get into my Childs account? He won't give me the password and I can't guess the answers to the security questions. If I can't access it cSn I have it terminated without his information please help
04-May-2011
April 13, 2012 5:14 AM
As an admin for my company, I have a myriad number of accounts that require user names and passwords. I decided the easiest thing for me to do (in order to remember them) was to prepare an Excel spreadsheet that contains ALL of my user names, passwords, and secret questions/answers. My current list is four pages long!
My company's IT systems are backed up every night, but I do keep a hard copy of my Excel document in a safe place should a system-wide crash occur.
Additionally, in the last year my computer was infected with a virus that I could not remove, so I purchased Spyware Doctor. This software frequently scans my programs and alerts me to any website or website connected to an advertisement that is "suspicious." I just click to block the site. I like the proactive nature of this program.
Obviously, there are no guarantees that someone won't hack into my e-mail account; but I hope I've taken careful measures to reduce the risk ...
No one uses my personal computer but me. I never use a public computer ever. I delete ALL phishing e-mails. And I have a complicated password (plus good Spyware)!
Hope this helps!