When Changing Your Password Isn’t Enough

When your contacts get a bogus message from you, the first advice is often “Change your password!” However, sometimes that’s not enough and sometimes it’s not even useful. It depends on how that bogus message got sent out.

I’ll look at a few scenarios below, and talk about what actually helps or doesn’t help.

In general, the best password practices are:

  • Use two-factor authentication wherever it’s available. This can stop the bad guys before they do any harm.
  • Use a password manager to randomly generate a long, unique password for every site. This gives you passwords that are very difficult to guess. They’re also very difficult to remember and to type, but your password manager will help you out there. Important note: No human-chosen password is as strong as a long, randomly generated password. If you think you’ve somehow created an unguessable password, that tells me you don’t know how this works, so you probably need a password manager more than anyone.
  • Enable login alerts where they’re available. For example, Facebook offers login alerts so you can tell when someone logs into your account from a new location. Bank and credit card sites offer additional alerts as well.

Scenario 1: The bad guys spoofed your email address. That is, the “From” address says it’s from you, but the message really came from somewhere else, under control of the bad guys.

What helps?

  • Almost nothing. You can’t stop someone else from spoofing your email address. What you can do is get smarter about recognizing spoofed email you’ve received. If you happen to be an organization’s email administrator, there are steps you can take, but that’s beyond the scope of today’s blog posting.

What doesn’t help?

  • Changing your password. Why doesn’t that help? The bad guys don’t need your password to spoof your email address. They probably don’t even know it.

Scenario 2: The bad guys guessed your password. They made a few guesses based on common passwords that everyone uses, or maybe they know a few things about you and worked with that info. This is often how it happens on TV. Sometimes, it happens in real life too, but now lots of people think this is the only scenario to worry about.

What helps?

  • Two-factor authentication: They’ve guessed your password, but that’s not enough to let them in. Cautionary note: Some two-factor systems let you have a few logins without a second-factor challenge. In those cases, the bad guys could still get into your account, at least once.
  • Password manager: The least guessable password you can create is as long as possible, randomly generated, and unique for each site where you have a password. This is what password managers do.
  • Login alerts: The alert doesn’t prevent the bad guys from logging in, but it tips you off when it happens.

What doesn’t help?

  • Changing your password. Okay, it’s better than nothing, but if you didn’t pick a very good password before, chances are you didn’t pick a very good one just now. Studies of real-world password usage showed that most people use a pattern when coming up with new passwords, which makes life easier for the bad guys.

Scenario 3: The bad guys have compromised your computer with malware. The malicious software might steal what you type and send it off to the bad guys. It might let the bad guys connect to your computer and use it without your knowledge. It might run applications on your computer, such as your email software. It might alter your system configuration in the bad guys’ favor.

What helps?

  • Anti-malware tools: Run regular scans. Take advantage of the tool’s preventive measures, like monitoring your downloads. Keep the anti-malware tool up to date!
  • Two-factor authentication: This stops the bad guys in their tracks, because your computer alone isn’t enough to let them log in where you’ve got two-factor authentication enabled.
  • Login alerts: This might be the way you find out you’ve got a problem. It doesn’t prevent logins, but it lets you know when something fishy happens.
  • Good online security practices: Follow good online security practices in general, to avoid having this happen again.
  • Reinstall your operating system: Nobody like this possibility, but if your computer has been compromised, this is the only surefire way to make sure it’s clean again. Anti-malware tools are good, but they don’t catch everything.

What doesn’t help?

  • Changing your password. The bad guys already have a way to steal your password. As soon as you change it, they can steal it again.
  • Encrypted WiFi and/or https. Those are best practices, but they encrypt the network traffic. They don’t encrypt your computer, and that’s where your password was stolen. Encrypted network activity doesn’t stop them, in this case.

Scenario 4: The bad guys physically stole your computer or smartphone. If you’ve saved a password so you don’t have to retype it every time, the bad guys don’t need to know your password. You’ve saved it for them.

What helps?

  • Two-factor authentication: Again, this stops them dead in their tracks if they try to log into your accounts. Having your computer isn’t enough. Cautionary note: Typically, two-factor authentication involves the use of your smartphone. If the bad guys have stolen both of your “two factors,” you’re in trouble. As good as two-factor authentication is, it doesn’t solve every security problem.
  • Login alerts: This could be your tip-off that something’s wrong.
  • Changing your password: Change any password that might have been saved on your stolen device. Use your password manager to do this, so you can get long, random, unique passwords.
  • Reporting your stolen property: Of course, you should also contact the police if your computer is stolen.

Scenario 5: The bad guys stole a bunch of passwords from some site you use, and you use that same password elsewhere.

What helps?

  • Two-factor authentication: Same story as above. The bad guys can’t log in as you if your password isn’t enough to get you logged in.
  • Password manager: If you’re using a password manager to generate a unique password for every site, you’ve contained the damage the bad guys can do. At worst, they’ve got your password for exactly one site.
  • Login alerts: This tips you off about suspicious activity.
  • Changing your password: Of course, generate a new long, random password for the site that was compromised.

Jim B