Helping people with computers... one answer at a time.

Strong passwords are important, but they don't protect you from everything. I'll look at other ways that your account can be compromised.

I sometimes play a game online to pass the time. It's a simulation type of game but I like it. One day I logged into my account and realized that someone had changed the password and taken all my stuff. How is it possible that they've hacked my account? My password has plenty of characters, is almost impossible to guess because it sounds like random gibberish to everyone else except myself, and there are plenty of numbers and secret characters in it. Is it true that they used a hacking device or program of some sort to hack my account?

I can't say what could have happened in your case, specifically.

However...

I can think of a number of ways your account could have been compromised.

OK, you've got a great password - something like 0jrkdiGv5Q@n - something that is not going to be guessed, and certainly no current computer is going to get to in the next century by trying all possible combinations.

What else could go wrong?

"It's great that you have a strong password - that already puts you ahead of the majority of computer users ..."
  • You have a key-logger. Key loggers, short for keystroke loggers, are malicious programs that are installed and transmitted as viruses or spyware. Once your computer is infected with a key logger it could be recording every keystroke you press, and then sending that off to some central "hacker headquarters" where the results are analyzed and account login IDs and passwords are extracted. By the way, "keystroke logger" is a misnomer these days. Just about anything you do can be recorded, including mouse clicks, screen shots, and even network traffic, rendering most of the ways to supposedly "bypass" keystroke loggers completely ineffectual.

  • You logged in on a public computer. Not only can public computers be completely infested with malware including the aforementioned keyloggers, but they can also have hardware logging devices installed. Even if you scanned, you'd never tell from the software installed that your keystrokes and all that other activity might be captured by a device attached to or inside the computer itself.

  • You've been phished. This is happening a lot, particularly in online games. You receive a message supposedly from the game administrator that you need to visit a web site to gain access to some in-game bonus, or validate your account or risk being banned. When you go to that site you have to login and ... you just gave your login information to a hacker. Phishing is, of course, not limited to these in-game messages - they can be just about anything to get you to divulge your username and password.

  • Your password is great, but your security questions? Not so much. Security questions are often used to validate that you are who you say you are when you click the "I forgot my password" link when attempting to access your account. If those security questions are the all too typical simple kind like your birthplace or favorite color, my guess is that someone who either knows you or has read your profiles on social media sites can probably answer them. If they can answer them many times that means that they can gain access to your account. This varies depending on exactly how the security questions are used, but it's very common.

  • You logged in over an open WiFi connection. This could be while at Starbucks or some public location that has open WiFi. It could even be your own home if you've not enabled WPA encryption on your wireless access point. I'd be shocked if the game you're playing encrypted its login transactions, or for that matter any part of the game experience. That means that anyone within range (meaning perhaps within a few hundred feet) could "listen in" to your network conversation and see your login ID and password as they passed by from your computer to the gaming or other server.

  • You walked away while logged in and someone walked up to your computer and changed your password. Or changed your security questions. Or changed your email address associated with the account so that they could later say "I forgot my password" and "recover" access to your account.

  • You left your computer accessible. There's no substitute for physical security if someone can just walk up to your computer and start searching for things that might help them. If your game allows you to remember login IDs or passwords, those are probably accessible somewhere and anyone with physical access to your machine could conceivably find them. Even a Windows password is not enough, since those are easily bypassed or reset by someone with the proper knowledge and tools.

  • You told a friend. Sadly this happens more often than we think. Sometimes the easiest way to share something is to just let your friend (or spouse, or child, or parent, or ...) login "as" you - so you give them the password. Later when they're angry or hurt or no longer your friend they can login and change your password thereby locking you out.

  • Someone watched you login. "Shoulder Surfing", as it's known, is as simple as it sounds - letting someone watch you type in your password could be enough for them to memorize the keys you typed. It's not necessarily easy, but depending on how you type and how well that person watches and remembers, it's not an uncommon way to get a password - even a complex one.

It's great that you have a strong password - that already puts you ahead of the majority of computer users, sad to say. But it's not something that protects you from all threats. Be aware of the scenarios I've listed, and for those that you think might apply take appropriate steps to minimize the risk.

Article C4492 - October 20, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

8 Comments
Con van Munster
October 23, 2010 2:22 AM

Hi Leo,
I joined your website some time ago as {email address removed}@hotmail.com
A couple of weeks ago I found I could no longer log into my hotmail account. I tried a couple of times and was told to change my password. OK that's happened before, but this time when I tried to change it, the link I need to change my password was not sent to {email address removed}@hotmail.com but to AU*****@hotmail.com I have no idea who or what this is. I have sent several emails to hotmail but apparently I cannot convince them that I am the legitimate owner of the account, and they are not doing anything to help.
Is there any way I can recover my account? All my email contacts etc. are in the address book, and this is causing much incomvenience.
Regards,
Con van Munster

Please read this article which discusses your recovery options for the various ways that Hotmail accounts can be lost or compromised: What are my Lost Hotmail Account and Password Recovery Options?
Leo
24-Oct-2010

Tom Oneal
October 26, 2010 10:04 AM

Could the owner of an open WiFi HotSpot - Say at my local Starbucks - utilize a keylogger to capture what I'm doing online? If so HOW?


Or better yet, could a "Bad Guy" set up an open WiFi in a public area specifically to capture peoples usernames and passwords as they perform their online business in that public place?


Any way to protect oneselves from this?

Certainly. That's what this article is all about: How do I stay safe in an internet cafe?
Leo
26-Oct-2010

Barcillo
October 28, 2010 3:41 PM

Hi Leo:
It's the first time I read the "Your password is great, but your security questions? Not so much" topic, but I've been worried with this for some time.
Untill now I've been answering my pet name or first teacher questions with stuff like "0jrkdiGv5Q@n". Answers I can't remember, but am sure that no one else is going to guess.
If I have an alternate email for password recovery...
Is it ok to do this?
What problems do you see in my aproach?
Thanks

So basically you're putting in garbage you won't remember as the answers to yoru security questions, right? Then you better be VERY sure that whatever service this is will only ever need the alternate email. If, for some reason, they can't or won't, or you lose access to that alternate email, you'll be out of luck.
Leo
28-Oct-2010

Helen
October 28, 2010 4:38 PM

Leo
What sight in your opinion is best for e-mailing to 50+? In contacting a large group of people and not having it go to spam do you have any suggestions? I sell Real Estate in an average size market and have been a Realtor for 35 years.

I assume you mean "site". I typically point people at Yahoo groups - for the "cost" of some advertising it's free and has a pretty reasonable feature set. When you want to go business/professional I still recommend aweber.com.
Leo
29-Oct-2010

Barcillo
October 29, 2010 12:37 AM

Leo, a follow up on your prior response:
If you think putting garbage as an answer is not a good choice... What do you recomend?
And could you please elaborate on the reasons why?

I don't see a point in giving the correct answer to any of these questions. Most of the people I now can answer all or most of them correctly (e.g. I live in a latin american country, and my mother's maiden name is part of my full name, or, anyone who has been on my birthday parties knows my favorite food is guatita [cow stomach with peanut sauce].. etc).

At the begining I started giving unrelated answers (e.g. My favorite food is blue). But I thought that if a weak passsword is dangerous. A weak question could be hacked as, or more easily. The same goes to give the same answer everywhere.

I continued to give slightly changed responses (e.g. mispelled words, language changes, or even alternate capital letters) but I ended with too much unrelated questions and answers, that I'm sure would be as dificult to remember as "0jrkdiGv5Q@n"

So I ended putting something like "0jrkdiGv5Q@n" as a secret anwer.

My reasoning was, that if anyone hacked my account and changed my alternate email, that person would be non-stupid enough to also change my secret question, country, ZIP code, birthday, etc. If I couldn't get my account back, then why would I leave a back door open?
What's the reason to put a secret answer?

Remember your post on "periodical password change"

Please let me know your thoughts and elaborate a bit on them.
Thanks again.
Barcillo
PS: all examples are ficticious. None of my acounts have "0jrkdiGv5Q@n" nor blue as a response...
or maybe they do ;)

My concern is simply that by putting stuff you don't remember in your secret questions then you will never be able to use them to recover your own account if needed. That's my only concern. If you don't mind closing that door forever, then go for it. Personally I think that's too risky, and advocate nonsense answers ("favorite color -> pencil" kinda things).
Leo
29-Oct-2010

Glenn P.
November 2, 2010 1:53 AM

Leo, Barcillo's approach of inputting nonsense replies to security questions is actually quite sound, with the proviso  that he is able to somehow retrieve those specific responses when needed, i.e., by storing them in a password database utility such as Roboform (your recommendation); or (my personal favorite) in 
KeePass Password Safe
.

"Favorite Color = Pencil" may be a tad easier to remember, but it just isn't quite as secure!     :)

Parent
May 3, 2011 7:44 PM

Is there any way possible to get into my Childs account? He won't give me the password and I can't guess the answers to the security questions. If I can't access it cSn I have it terminated without his information please help

No way to really know without knowing what account you mean (computer? email? facebook? something else?). If a service of some sort you'd probably need to contact their customer service.
Leo
04-May-2011

Lisa
April 13, 2012 5:14 AM

As an admin for my company, I have a myriad number of accounts that require user names and passwords. I decided the easiest thing for me to do (in order to remember them) was to prepare an Excel spreadsheet that contains ALL of my user names, passwords, and secret questions/answers. My current list is four pages long!

My company's IT systems are backed up every night, but I do keep a hard copy of my Excel document in a safe place should a system-wide crash occur.

Additionally, in the last year my computer was infected with a virus that I could not remove, so I purchased Spyware Doctor. This software frequently scans my programs and alerts me to any website or website connected to an advertisement that is "suspicious." I just click to block the site. I like the proactive nature of this program.

Obviously, there are no guarantees that someone won't hack into my e-mail account; but I hope I've taken careful measures to reduce the risk ...

No one uses my personal computer but me. I never use a public computer ever. I delete ALL phishing e-mails. And I have a complicated password (plus good Spyware)!

Hope this helps!

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.