If your email or other online account is hacked – changing your password is a good first step – but not enough.–PC Pitstop.
Changing Your Password is Not Enough
By Leo Notenboom
Is changing my password enough?
Changing your password is a common response to account hacks. Unfortunately, it isn’t enough.
I regularly hear from people who’ve had their email or other online account compromised, are able to recover access to it, and change their password, only to have the account stolen again almost immediately.
The problem is actually quite simple, but the solution is a bit of work.
First, you have to realize that while someone else has access to your account, they have access to everything related to that account.
As a result, changing your password just isn’t enough. You need to do more.
Recovery information
You authenticate with most online systems by providing a user name and a password. Your user name might well be publicly visible, but your password should be known only to you.
Most systems also provide a mechanism whereby you can recover or reset your password should you forget it. They use a variety of means, but they all boil down to the same thing: they use one or more additional pieces of information – often referred to as recovery information – to validate that you are who you say you are, and thus entitled to regain access to the account.
It’s that recovery information that presents the greatest risk once your account has been compromised.
Let’s look at some examples of what I mean, why it’s a risk, and what you should do about each, in addition to changing your password.
