Is Changing My Password Enough?

I regularly hear from people who’ve had their email or other online account compromised, are able to recover access to it, and change their password, only to have the account stolen again almost immediately.

The problem is simple, but the solution is a bit of work.

First, you have to realize that while someone else has access to your account, they have access to everything related to that account.

As a result, changing your password just isn’t enough. You need to do more.

Recovery information

You authenticate with most online systems by providing a user name and a password. Your user name might well be publicly visible, but your password should be known only to you.

Most systems also provide a mechanism whereby you can recover or reset your password should you forget it. They use a variety of means, but they all boil down to the same thing: they use one or more additional pieces of information — often referred to as recovery information –– to validate that you are who you say you are, and thus entitled to regain access to the account.

It’s that recovery information that presents the greatest risk once your account has been compromised.

Let’s look at some examples of what I mean, why it’s a risk, and what you should do about each, in addition to changing your password.

Email addresses

Many, if not most, online accounts require your email address. In the case of an email account (like, Gmail, or the like), there’s also often an “alternate” email address.

Systems often provide the ability to send a password reset message to the email address of record, or the alternate email address, should you lose your password. Since only you could have set it up, by definition, that email address should be yours. Your ability to receive a message at that address confirms you are the rightful account holder.

Once your account has been compromised, a smart hacker will immediately change the email address or alternate email address to one he or she has access to. That way, if you request a password reset, they’ll get it, not you. Similarly, if you change the password, all the hacker has to do is request a password reset, and she’ll regain access to the account.

What you should do: once you’ve regained access to your account, immediately verify that all email addresses associated with that account are yours. If they aren’t, change them right away.

Secret questions

It’s falling out of favor these days, but as a second layer of security, many systems have you set up answers to security questions. The answers you choose verify your identity should you lose your password, and so are questions only you should know, such as your mother’s maiden name, the name of your first pet, or your favorite teacher. If you forget your password, the system asks you one or more of these questions. If your answer matches what you set up originally, then you must be who you say you are, and you regain account access.

One of the problems with the technique is that often, the answers aren’t secret at all. Even a little browsing on your social media sites can tell potential hackers a great deal about you, including many of the answers to these so-called secret questions.

Of course, once a hacker has access to your account, he can change all the answers to his own. That way, should you regain access to the account and change the password, she can just invoke the password recovery mechanism and regain access herself.

What you should do: once you’ve regained access to a hacked account, change all your secret answers immediately. Even if they’ve been untouched, the attacker could simply have written them down. Change them to something new — ideally, answers that are completely unrelated to the questions, but that you’ll remember in the future.

Mobile numbers

Many service providers are now replacing secret questions with the use of mobile or phone numbers instead. The concept is that when account recovery is needed, they can text or voice call that number with a code. You provide that code, which proves you are in possession of the phone. Since you set up that phone number, you must be the authorized account holder.

By now, you probably realize that once a hacker has access to your account, they can and do change that number to be their own, too. Any mobile-based account-recovery attempts are now redirected to the hacker.

What you should do: as soon as you get back into your hacked account, confirm that the phone numbers associated with it are still your own.

Billing information

It’s rare, but some systems use billing information, such as a credit card number already on file, or your billing address, in account recovery-and-validation attempts. If you have this kind of information on file, a) a hacker may be able to start using it, potentially racking up charges that you may or may not be liable for, and b) a hacker can change it, so if it’s used for account recovery purposes, it’s the hacker who regains access, not you.

What you should do: change or remove this information as soon as you get your account back, and check with your credit-card provider immediately for any improper charges.

The bottom line

By now, you should see a distinct pattern: any and all information that can be used to recover your account should be validated, removed, or changed the instant you get your account back. That includes personal information, PINs, secret questions and answers, alternate email addresses, and more: anything the system you’re dealing with might use for account validation and recovery.

If you don’t, and the individual who hacked your account has even half a clue (and many do these days), it’s very possible you could recover your account only to find it hacked again within hours or minutes.

You should also consider increasing the security of your account by adding two-factor authentication to prevent future hacks, as well as setting up any single-use or pre-defined recovery codes for those systems that support it.

This is an update to an article originally posted November 6, 2009

Originally published as Is Changing My Password Enough? on Ask Leo!