How Secure is your Email?


By Rob Cheng

Think for a moment about a piece of information that you know about yourself that no one else in the world knows. I mean absolutely no one. It isn’t your high school’s mascot. Obviously everyone with whom you went to high school would know that. It isn’t your mother’s maiden name. Your mother and everyone that knew your mother before she was married would know that. It isn’t the last 4 digits of your social security number. Your bank, your cable company, your doctor’s office and virtually every other business has that information.

There are two distinct types of security holes that threaten your identity and your life as you know it. First, is your computer itself. As we described in the prior article, criminals are overtaking our computers through security holes and then extorting millions through fear and doubt. The other and perhaps more dangerous type is hacking our email accounts and passwords.

In the 2008 presidential campaign Republican vice presidential candidate Sarah Palin’s Yahoo email account was hacked. In order to hack Mrs. Palin’s account, the hacker needed only two pieces of information, her birth date and her high school. Since she was a vice presidential candidate, in the words of the hacker himself, it took only minutes to obtain the information to hack her account.

Once the hacker had this information, it was child’s play to get Yahoo to reset Palin’s password allowing him full access to her email. The hacker then read all of her email and made public her most embarrassing emails. To be honest, Sarah Palin was quite lucky. The hacker was just a kid that wanted to derail her election campaign. Had the hacker been an organization, they now had the ability to get the passwords for everything that Mrs. Palin held near and dear. This includes her Facebook and Google accounts, but more importantly, all of her financial institutions, Amazon credit card information, and so on. She could have been ruined, all because she told the truth on her security questions.

That was 4 years ago, and sadly, Yahoo’s security hasn’t improved much. On top of that, we learn that George W Bush’s email was hacked, and somehow the state of South Carolina’s tax database was hacked putting close to 4 millions taxpayers at risk of identity theft.

Your email is the hub to your digital world. Once your email is compromised, the hacker has access to every web site that is linked to that email address potentially including your favorite online shopping sites, your bank balance, your credit card and so on. The problem is that the free email sites (Yahoo, GMail and Hotmail) have implemented security questions which represent a huge security hole into your email.

The advice is clear. NEVER answer the security question accurately unless you are absolutely 100% sure that no one else can ascertain this information. In today’s day and age of Facebook and thousands of public online databases, this is essentially impossible. My friend Bill Pytlovany suggests inventing interesting and playful responses to your security questions. This is good fun, but I would suggest the following.

Choose a new password for your email password that is different than all of the other passwords you have. Engrave that password in your mind until it is permanent because this is so important. Then after that has been accomplished, delete all the security questions. I have done this with my Yahoo and Google email accounts and life is just more secure.

 1,922 total views,  3 views today

(Visited 1 times, 1 visits today)

17 thoughts on “How Secure is your Email?”

  1. Making up answers to security questions is important, because no matter how secure your password is, if it can be changed with a security question, it’s worthless.

    OTOH, for accounts that don’t have security, you only need to do 2 things for a secure account:
    1) Use a password manager to remember everything about each and every account. Between the financial, retail, and blog websites I use, I have over 200 accounts. No way I can remember each & every username and password. I use that lets me get to it from anywhere on the web. It stays encrypted until it comes down to my computer.
    2) You must create a UNIQUE, RANDOM, LONG password with upper/lower case letters, digits & special characters. I use 32 characters, if I can. Some websites limit the length, and others don’t like special characters. I max out my length when I can.

  2. I’m truly evil. I do all the crap in Cherokee translated to English alphabet. If someone can “hack” that (like my great-great Grandmother’s maiden name), more power to them, especially when I deliberately misspell words! You can always say your Mother’s maiden name is Doris Day, Marilyn Monroe, Madonna, etc.

  3. I never fill in the phone number field correctly in online forms. If anyone needs to get hold of me they can email me. I know that companies buy each others’ phone number lists and I really don’t want to be hassled by people trying to sell me things I neither want nor need. My problem is, like many others who have replied here, that if I have a complicated password or false security question I can’t remember it. For instance, I can only carry out a few of the transactions on my bank’s site. I can check my balance and transfer money between my current and my savings accounts and that’s about it. To set up direct debits/standing orders I have to go to a physical branch in town because a few years ago they changed to a “one-off passcode” texted to a mobile phone (cellphone) which is different each time and is used to log into the account. Unfortunately, I use my mobile phone so rarely that I can’t remember its number! I know there are ways of finding it out, but then I would forget it again anyway and if I wrote it down I would then forget whereabouts I’d written it down. Anyway, I don’t set up standing orders/direct debits very often and if I need to it gets me out of the house :).

  4. It all boils down to memory for most of us.
    That is LACK of a decent memory for the hundreds of sites we visit, many only very occasionally.
    Using programs to store this stuff is only a half way house. The programs are generally free & I know of no testing to determine how easily they can be hacked.
    Plus on the few occasions I have tried to use one or other – they just don’t pop up & do the job in many cases.
    In my case I store my passwords & usernames (in a “loose personal coded” form that often defeats me when I need it)in Microsoft Outlook. How easy is this for a hacker to find/ Would this info be better in an encrypted Word file? But the circle complete – we are back to a memory problem.
    BTW about 20 -25% of folks over 49 have a recognisable impairment of memory so this is not a rare condition.

  5. Use something like keepass ( put a random string in for both password and security question. More points for making the security question harder to crack then the password itself

  6. My advice is to never use a security question unless you are forced to as banks will sometimes. And unless it’s a bank site that will require you to be able to answer it, just put down gibberish for the answer if you must out down something. You can usually use a phone number or another email to recover your password if you forget it.

    I once saw someone’s security Q, and it was “fav bin”. Took me 7 guesses to get “1101”, and I had no idea who he was. Lucky guess though. Just saw the email and was curious. My other tries included “cgi-bin”, and “101010”.
    Yahoo is terrible at the default ones too. My dad has Make of First Car Owned. Again, took me about 7 guesses to see what it was. They only have so many makes of cars!
    If you come up with some cute trick that will fool people, you won’t remember it, because just considered the fact you can’t even remember you own password. How will you be sure you’ll remember the alternative security question answer that you never use….
    Although I do use for pet’s name the name of a stuff animal I had. No social engineering attack could get that, and the name is strange as well. Not a real name of any sort.

    Another way if you can choose your question is to make multiple questions in one. Like “First Car/First Phone #/First name of teacher [implying ‘favorite’ teacher]”, so that someone will need to be able to get them all making it that much harder. The answer could be like “Dodge/555-1234/Mrs. Welch”. This can be beaten, but they really have to be out to get you.

    If you’re young, then there’s no good questions, because who’s going to remember their favorite book in two years when you’ve forgotten your password. Plus “Harry Potter” is just too easy to guess anyway.

    Sarah Palin also isn’t a good example of anything. Anyone that needs to write Tax Cuts on their own hand to remember to talk about it, or doesn’t understand why fruit flies are used for research will of course be “hacked” by an 8 year old. I question if the term hacking itself should even be used at that point. Hacking should imply you have a level of intelligence that is more than just knowing that google exists.

    A lot of sites will sadly not encrypt your password and as long as one can get into anothers account, they can have that site send the password to them. Or the site will send it after you register for the first time as a friendly reminder. But since so many people will use the same password everywhere, it’s not a good idea to keep that particular email.

  7. Isn't the central problem in computer security the gulf in knowledge and watchfulness between those who read security articles versus those "can't be bothered with such things"?

    Earlier commenters nailed it: Falsify answers 99% of Web sites' security questions.

    "Nor shalt thou or thine bow down before Administration."
    – W.H. Auden

  8. Susan Marie Schmitt

    I try to come up with strong passwords and security questions and I don't answer things completely truthfully either for just those reasons. All I can say is thanks be for a password keeper app so I can keep track of all the sites, passwords and security questions however, that can probably be hacked at some point to so essentially we still lose. We're just making it a bit harder for the hackers.

  9. Andrew David Rice

    I've been registering slightly false information on online services for exactly this reason. Does Facebook really need to know my date of birth, or rather that I'm of a certain age. For those answering these security questions, think about registering an answer that is at least slightly different to what it should be. Good article.

    1. i just make it up, lies the lot of it, who would be stupid enough to be honest about security questions… lol if i was honest then any one would know how to steal in to my accounts… mind you i have to keep every thing written down as i can not remember who i am most of the time… so maybe security is not that high around me… lol

    2. though in saying that it is a lot harder these days to break in to a persons house, rifle through their stuff to find what ever it is you keep your passwords in…. lol

  10. How do we delete the security questions we have answered on yahoo, Google and Hotmail? Is there a way to not allow password resets via security questions?

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.