What’s this weird post on my social feed? Did I get hacked? Those were my first thoughts when I noticed something odd on my account. Does changing your password stop hackers?
Yes, changing your password will prevent hackers from accessing your account. Updating your account password at the first sign of an attack limits damage. Changing your password regularly also improves security. Stolen credentials in data breaches are often old.
Remember that passwords are only a portion of the security puzzle.
So, how did this hacker get my password in the first place?
The easiest ways hackers know your password is from data breaches, credential reuse, and social engineering. Attackers will find holes in company IT security then steal account data. Users often reuse usernames and passwords across sites allowing access. Hackers can also use social engineering, including psychological or technical tricks, to get your information.
Other brute force methods prey on weak passwords that users generate themselves. Many hacker tools allow an attacker to guess many password combinations quickly. This method takes longer but can exploit poor password practices.
Then, what can hackers do with your password?
They will change your password to one they control. The step is to attempt to update your email address and other information blocking your access. Once your account is fully controlled, your username and password may help the hacker break into your unrelated websites. They may also attempt to use your account for financial gain, social disreputation, or gain control of other user accounts.
These outcomes can be scary stuff which brings us to…
Tip 1: Update Your Password With One From Your Password Manager
Most users will update passwords using creativity to remember them in the future. This is the wrong approach. Passwords need to be long, unique, and never reused.
A password manager usually includes a random password generator. Use a generator instead of your creativity for new passwords.
Store your new generated password in the manager first then updated on the target service.
Another sneaky tip is to…
Tip 2: Change Your Username Too
If your username is not your email address, for example, Twitter and Instagram, do not change this short username. Most sites also permit logging in with email addresses or even phone numbers.
But if the username is not essential like Facebook, then updating your username to something random tightens your security.
If the username is your email address, we can still boost username security by adding a small change that doesn’t affect the function of the email address. Let me explain.
Adding a plus sign and additional letters in the first part of your email address will not break message delivery. Many email providers will ignore a plus sign
+ and any following characters up to the at
Look at the Gmail example below. Notice that the current email address and compare it to the new email address.
|Current Email Address||New Email Address|
Gmail and many other email providers will ignore the addition of
Use any combination of characters between the “plus” and “at” symbols. I like to add the name of the service, allowing you to pinpoint where a leaked email address originates.
Be sure to test the new email address containing the plus sign before you update your account by sending a message from another email provider.
You can also ask a friend to help you test. Here’s a sample email or text message you can edit and send requesting your friend’s help. Copy and paste it.
Hey, I’m trying out a new email address. Could you send me a test email at _____? Thanks.
…or click this link to launch a pre-made email. Of course, update your friend’s email address in the “To” field and fill in your new email address in the blank _____ line.
After you’ve successfully received your friend’s test message, you can update your username in your website’s settings using the new email address.
Remember also to update your username in your password manager.
Next, add a reminder in your calendar to…
Tip 3: Update Passwords Regularly
For your most important accounts like email, banking, and password manager, you need to regularly update your password.
Data breaches containing passwords are frequently months or years old. For sensitive or secure accounts, changing your password every three months to one year reduces the time that a password is relevant within a hacked data set.
The commercial password manager, LastPass for example, has an automated password updater making the process easy. From their Security Challenge screen, you’ll find a section listing many services like Twitter that have an Auto-Change button.
It’s also vital to…
Tip 4: Stop Reusing Passwords
Leaked usernames and password data might have come from one company. Still, hackers know that users are lazy, and credentials were likely used on other unrelated sites.
The ‘S’ in our SIMPLE password checklist says to Stop Reusing Passwords. Did you follow that advice?
But the hands-down best way to protect your accounts is to…
Tip 5: Turn On Two-Factor/Two-Step Authentication
The two most commonly used forms of two-factor authentication include the less-secure SMS/text message approach, and the safer option, an authenticator app on your smartphone.
Other forms of multi-factor authentication include physical keys like a USB dongle and biometrics, most commonly a fingerprint reader and facial recognition.
We have a full article walking you through the 5 Easy Steps To Get Two-Factor Authentication & Why You Need It.
Yes, changing your password can stop hackers from gaining access to your accounts. But, the password is only a piece of the broader security puzzle.
The weakest point in account security is the human using it. Poor security practices and under-educated users are the primary cause of most hacks.