Helping people with computers... one answer at a time.

Hacking Hotmail accounts seems like a common occurrence. Here are the steps you need to take to prevent losing your account to a hacker.

My MSN HotMail account has been hacked into several times. If I'm able to recover it, it just gets hacked again. Sometimes I can't recover it, and I have to start all over with a new account. What can I do to stop this all from happening?

No, I don't get this question a lot. But I really, really wish I did. What I get over and over and over again is the related "I've been hacked, please recover my account/password for me!"

Which, for the record I cannot do. No matter how often, or how nicely, you ask. The only salvation is in prevention, and this applies to email, IM and pretty much any passworded account you might have.

So what can you do to make sure your account doesn't get hacked into in the first place?

The most common cause of account hacking?

Simple, easy to remember passwords.

I'm sure you'd be shocked at how easy many passwords are to guess. Your pet's name, your pet's name spelled backwards, your favorite TV character's catch phrase, your boyfriend or girlfriend's name (or "ilove" followed by that name), and so on.

If you think people can't guess it, you are wrong. They can, and will.

Step #1: select a good password. "iLoveMikey" is a bad password. "qicITcl}" is a great password. You can see the problem though - great passwords are hard to remember. So compromise: never include full English words or names; always include a mix of uppercase and lowercase letters and numbers; always make sure that the password is at least 8 characters long. "Macintosh" is bad, "Mac7T0sh" might be good, and probably easier to remember. "HondaPrelude" is bad, but "Pre7ood6" might be ok.

Bottom line: pick a random looking password that YOU can remember, but that THEY would never guess - and assume that THEY are always really great guessers.

Step #2: protect your password. A scenario I've seen way too many times starts with "I thought I could trust my boyfriend / girlfriend / husband / wife / co-worker so I gave him/her my password. Then we had an argument."

How much damage can someone do if they're angry with you, and they have the password to your account? A lot.

It's very simple: Trust no one. I'm serious on this. Your friends are your friends until one day they're not. Naturally there are exceptions, but if there's the least little bit of doubt, don't reveal your password. Especially if someone is pressuring you to do so.

Step #3: set and protect your "secret answer." Many systems use a "secret question" and its corresponding answer as the key to password recovery or reset. The problem is that many people choose secret answers that nearly anyone can guess. Do people know where you were born? Then they know the answer to that secret question. Do people know what you're pet's name is? Then "favorite pet's name" is probably a bad secret question for you.

And yet people do exactly that. If your account is repeatedly hacked after you recover the password, I'd guess that your "secret question" isn't that secret after all.

"... 'hard to guess' is at odds with 'easy to remember', but both are absolutely critical."

A great approach to this is to realize that there's nothing that says your answer actually has to correspond to the question, or to anything else in your life. So, pick an unrelated answer that has nothing to do with you. Perhaps your "City of Birth" should be "Crayola", "Chardonay" or "WindowsExplorer". As long as you can remember it it doesn't matter what it is.

An even better approach is to treat it like just another password - a password to your password, for example. Make it long, and obscure, completely unrelated to the "question", and hard for someone else to guess.

And don't tell anyone.

Step #4: set an alternate email address. Many services will use an "alternate email address" to mail you a new password if you forget yours. First, make sure to set that option up, and set it up using an email account on a different system. Create and use a Yahoo account for your Hotmail alternate email, for example. And second: don't lose the alternate account. For many systems, if you can't access that alternate email account, you cannot get your password back, and you will not be able to recover your primary account.

I've seen too many cases where people lose their alternate email address or let that account lapse, only to be totally screwed when they find they really really need it to recover their primary account.

Step #5: Remember. I realize that "hard to guess" is at odds with "easy to remember", but both are absolutely critical. If you forget your password, and you forget the answer to your secret question or lose access to your alternate email account or some how lose the ability to use any of the password recovery mechanisms provided by the service ... well, to put it bluntly, you are screwed.

Don't forget your own password. Don't forget the answer to your own secret question. If you must write your information down keep it in a secure place. A sticky note on your monitor under your mouse pad or other, easy to get to place, is not secure. Your wallet might be secure. A locked cabinet or safe might be secure. A properly encrypted file on your computer might be secure.

Step #6: Don't fall for password recovery schemes. There are people out there who will tell you that they can get your password if you send a specially formatted email to a special email address. But that email almost always requires you to provide another account name and password. Do you know who's at the other end of that email address? Not who they claim to be, do you know who they are? I sure don't. And there's no way I would trust them if they're asking for another account name and password. You're just begging to be hacked again.

"I cannot recover your password or account for you."

Step #7: Learn from your mistakes. If you've been hacked, and you don't remember of have your secret question, and you never set up or you lost access to your alternate email address, and none of the other password recovery options that the service might provide apply to you ... well, I said it above, and I'll say it again: you're screwed. I cannot recover your password or account for you. If you're using a free service that has little or no customer support no one can. Learn from this. Take better care of your account information. If appropriate, and possible, consider moving to a for-pay mail provider that has real customer support that can help you recover from these kinds of problems.

Article C2641 - May 2, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

May 29, 2006 2:17 AM

Whenever possible, I avoid sites that require me to create a username and passer. When I absolutely must, the info is always phony and the passer is always the same (******** if it will work; the same muddled phrase I've been using for over 12 years, if not). d;^)

But never (EVER) is that "something else" passer one that I use for anything even remotely important (eMail client; MP3 account; anything involving my credit card or *real* personal info (Social Security Number; correct mailing address).

Finally, I got the pay-for-it Yahoo eMail solely because it allows you to create any number of specialized spoof eMail addys good for sending and receiving. You choose one word or phrase that begins all addys (eg, PsychedelicRutabaga) which is followed by a hyphen and then any phrase that identifies the account (eg, The New York Times, for example, might then be

Take care!


Leo Notenboom
July 17, 2006 9:33 AM
I've deleted a slew of comments on this article, and closed comments.

Almost everyone was simply asking for the same thing over and over and over again, and ignoring my answer.

If your account has been hacked, please read: Would you please recover my password? My account has been hacked or I've forgotten it.
- Leo

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.