Fresh back from my fourth, yes FOURTH account hacking (the third was intercepted by ANet and unsuccessful though – of course this was less than ten days before the fourth), I felt it beyond necessary to find out HOW online accounts are hacked (this isn’t specific to gaming, just in general) in order to best prevent it in future.
What follows comes from mistakes I have made myself, mistakes I have read of other people making, back-door access I’ve read about and the methods used for learning passwords.
Username email addresses
Up until two days ago, with the exception of Guild Wars, every single one of my online accounts tied to the same email address.
When a hacker has your username, they already have half of the data they need to access the account they’re interested in. Using the same email address for more than one account that you actually care about gives half the data needed for anyone to access those accounts. (My basic utility accounts use the same log-in, but I’m fairly sure hackers have no interest in my gas and television services. Likewise, I’m not about to change my log-in for pizza hut).
After so much trouble with account security, this has afforded me a wealth of possible usernames and now none of them have gone to waste. The five services I use most often/feel most concerns over security breaches now each has a separate username assosciated with it.
Potential mistakes with multiple emails
*Having the SAME string of characters at the start of the email. For security purposes, many services —- out portions of an email address, but if the recovery email starts and ends with the same letter as the account – well, that’s the FIRST address they’ll try.
*Using the same email address as recovery for all your other email addresses. No matter how secure you think this email address is, if it IS breached then you’ve just given away access to ALL of your other email (at least any addresses that are known). Pairing email recoveries together seems a sensible idea here – a recovers to b, b recovers to a, c recovers to d etc etc.
Securing your emails
*Two way verification is a good thing. Use it. I’m particularly impressed with microsoft’s app – this doesn’t require a code (which someone could luck into) but needs you to actually use your smartphone to approve access.
*Regularly UNtrust devices if you are able to (yahoo does not give this option – google and microsoft outlook both do)
*If a service insists on security questions, use these to your advantage. Don’t answer the questions honestly -instead create an additional two passwords.
*If a service allows you the opportunity to create a sign-in seal, use it (this is where yahoo has just about its only advantage). This prevents you accidentally signing in via a fake site giving away your log-in details.
Passwords
ANet has a leg-up here by blacklisting passwords. I’m not sure if EVERY password ever created for Guild Wars is unable to be reused, but they’re certainly off to a good start.
*There are common password patterns – the most common being to start with a capital letter and end with digits or special characters
*The most common digit used in passwords is 1
*The most common special character is !
*There are programs that work out the order of characters in a password (I don’t know how these work)
*Hackers will start by trying with the most common password components looking for a match
*A 30 character password consisting of all lowercase letters WILL take magnitudes of time longer to crack than a 6 character password containg a mix of character types.
*A 30 character password that mixes all character types will take longer to crack than the 30 character password only using lower case letters.
*If someone has sufficient information about you, they can change the password to your account without logging into it themself.