We begin a series of posts on the importance of email security and why it should be a top priority for organizations. In this post, we share some insights from the founder of Alt-N Technologies, Arvel Hathcock, to get his perspective on security tips for email users.
Most everyone has an email account. Many have more than one. Email is really at the core of online life because it is tied to so many of our online services. Look at your phone. Many of the service apps you see connect with you via your email account. This is why I believe the wide-spread practice of “password reset via email message” or “Forgotten Password” has crowned the email account password the most significant and important of all passwords.
That’s not to say that password management for services like online banking are not critical. They are. But having a strong password for banking and not your email can expose you to some real dangers, as well. Imagine if a hacker or other bad actor can figure out your email password. One of the first actions they could take is to login and change your password. This locks you out. Next, they check through your inbox and folders looking for anything interesting, such as popular online services or banking portals. Now, they login with your email address and use the “Forgotten Password” feature. Soon an email will show up in your inbox (which is no longer controlled by you) allowing them to verify the change and now another important service is not controlled by you. This email and others like it will allow a hacker to change all of your online passwords – all because they found your email password.
This is not good and it leads me to security tip #1: Put effort into the security of your email account password.
It can be the key to all your other passwords. Also, do not use your email account password with any other online account or service because you do not know and cannot control when it will be that service’s turn to get hacked.
Because of the risk mentioned earlier, I would also recommend users disable “Forgotten Password” features where possible and use an alternative method. As bad as “Forgotten Password” can be to reset access, the Question and Answer options can be risky, too. I was horrified years ago to discover that an online app for a banking chain reset my password using only the “Question and Answer” method – no email at all! You know – the questions some services ask like “What’s your mom’s name?” or “Where did you grow up?” etc. If someone can get the answers right, they can change the password.
This idea assumes that would-be hackers will always be outsiders without access to even basic information about their targets. You should use caution before completely trusting these methods. One trick I recommend is to select the question (it’s usually in a drop-down list) and enter a totally random and completely unpredictable answer (but one that you can remember, of course).
I realize these features exist for convenience but remember that security can be reduced and new attack options exposed by these methods if not managed properly.