If you are like most internet users, at some point you have thought about how to protect your home computer. More than likely, you’ve got antivirus and/or internet firewall protection installed and use strong passwords to protect everything from your bank and social media accounts to online shopping and auto bill pay services. But what about your email?
People will often use an “easy-to-remember” password to access email because it’s something they do quite frequently, or they just don’t think it’s that important. After all, there is no money in that account or being exchanged, so how important could it be?
Almost every one of your banks, as well as your frequent flier program, credit card account, etc., has a “Password Recovery” option somewhere on their login page. That option will (usually) send you an email, with a temporary password or web browser link for you to use to login and get access. This is great, in theory: it’s convenient, allows you to complete your task and saves the company money by not having to deal with expensive customer support calls. However, it also means that if someone wants to gain access to any of those accounts, they don’t need to know your password to that account – they only need access to your email. That makes your email password possibly the most valuable one you have.
What can you do?
There are a number of ways to protect yourself. Here are just a few:
1) Use a strong password for your email
Sounds simple, right? It is, but you do need to remember this password. These accounts are generally harder to recover passwords for, and if not, then they usually aren’t really protecting you properly. The major webmail providers generally offer very robust ways to secure your account and still provide password recovery for your email login (see #3 below)
2) Don’t use the free account from your ISP (Internet Service Provider)
The “free” email account that comes with your broadband internet service is usually pretty weak on a number of fronts: bad security, poor features/user experience, weak password recovery processes, and an email address you’ll lose (and need to notify everyone on your contact list) if you ever change internet providers.
3) Sign up for a free account from a big provider like Outlook.com or Gmail
Microsoft and Google have been doing this for a while, and they have created very robust and intelligent mechanisms for enabling you to authenticate when you need to, recover your password when you need to, and still keep the bad guys out. They do this, among other methods, by asking you to register a mobile phone number or other form of “alternate” contact information, so that they can contact you in that manner to provide a temporary password if you should ever need one.
In addition, the big players (including some social media sites like Facebook) have implemented “risk-based” models for determining if a given login is really you, based on such data as where you are logging in from, which means that even if a hacker in another country knows your password, they still wouldn’t be able to successfully log in. This risk-based model is a topic for in-depth discussion in future post, but suffice it to say, the service providers with the deepest pockets seem to be doing the best job on that front at the moment.
Finally, a note on email domain names. One feature offered by the two email services previously mentioned (as well as many other mail services) is the ability to use a domain name registered by you for your own personal use, rather than the one they provide by default (e.g. firstname.lastname@example.org instead of email@example.com). While there are some minor security implications, a personal domain is also a way to ensure that you never have to change your email address, as well as often making your address more memorable for other people. The process for using a custom domain in Outlook or Gmail is fairly straightforward for anyone with modest technical skills, and registering a personal domain is relatively simple, with several low-cost options available.
In summary, think about how you use and protect your email; even though your email account doesn’t contain any funds, it can be used to gain access to the many accounts that do. Once that happens, it can be difficult to bring all those accounts back under your control.