How not to have your Gmail hacked
In my last entry, I said “..how the hell she got her Gmail hacked in the first place? Now that, my friends, is another story. We’ll get to that in my next posting“.
To be frank, there must have been various social engineering methods to explain how she got her Gmail hacked. But one thing for sure, her Gmail password has been compromised. However, I am not going to divulge all of the possibilities but some of the famous ones would be that:
1. She may be using a weak Gmail password.
What is a weak password you asked? In a nutshell, it is anything that anybody could have guessed. Or more specifically, passwords that use words or phrases that are commonly used and are available in dictionaries. Words like “extrovert2010” or “hysteresis1973” may sounded complex to some but believe me, hackers will just need to launch dictionary attacks over them and append running numbers next to their guesses and they will break them in no time. To make matters worse, Gmail itself does not impose any limit on the number of password tries.
2. She may be using a not-so-weak Gmail password but it is susceptible to intelligent guessing.
A hacker may resort to other means that are not really technical in order to break the victim’s password. If she have not been using English or Malay words that are available in dictionaries, perhaps she’s been referencing to people, events or groups that surrounds her. Say.. like.. her Facebook account? 🙂 Never underestimate the lack of awareness some people have with regards to Facebook’s privacy settings. I’ve seen lots of FBers who had turned their pages into open CVs – describing everything in their exciting lives, their jobs, their workplaces and the names of their spouses and kids. And even their birth dates! All of which will be used by hackers to guess their passwords. Ironically, such a feat is only possible given that common folks usually refer to things around them for passwords that are easy for them to remember.
3. Her PC may have been hacked!
In fact, her PC may have already been a part of a bot network (botnet) all this while. The hacker responsible for it may even put a keylogger malware in there to record all her keyboard strokes. If that’s the case, a compromised Gmail account is the least of her problems right now. Imagine PayPal passwords! Maybank2U! CIMB Clicks! Wow.. this is bad.
So.. how on Earth can we ensure that our Gmail accounts cannot be hacked?
Actually, in my opinion, the measures that we should concerned ourselves with, are simply the opposite of the above listed items. Perhaps, with an exception to no. 3. PCs got hacked all the time. Don’t get me wrong. I am not saying that owners of hacked PCs deserve to get their Gmail account hacked as well. What I am saying is that, if they somehow arrived at a point of having their PCs hacked, then Gmail password security is, relatively, not a major concern. They have lots of other issues to attend to. In other words, they should learn to secure items that they can directly control first (such as their PCs) before they should work on securing things that they don’t have much say over (such as attempts by other people to gain control of their Gmail accounts). Therefore, especially for no. 3, do not arbitrarily click any URL you found on the Internet coz depending on the vulnerabilities of your OSs, it may open up a low-level connection with some hackers elsewhere. And please please refrain from using pirated softwares as they are often equipped with Trojan Horse and Backdoor malwares that will install hand in hand with that fake MS Office of yours.
Getting back to the issue of how not to have your Gmail hacked, one must remember that the main entry point is of course through the Gmail login. So your Gmail password is the main commodity here. Therefore, it is only logical to assume that the password must be one that is not only strong but it must also be impossible for others to guess. And here goes:
1. Be sure to use a mix of lowercase and uppercase characters and put in numbers and even punctuations.
Why? Coz this will definitely increase the attacker’s work factor. 1M@g1n3_tH15_@5_@_p455W0rD! Can you guess it? But mixing the cases and characters are still not enough if the words are common nouns and verbs such as the example: “imagine this as a password!”. Hacker (or rather crackers) will eventually able to substitute each of the characters with their possible and well-known variants. It will be a damn hard repetitive work but they are not going to do it manually. They will let their customized dictionary/brute force attack applications to do the automated guessing.
2. Which is why you should use words and phrases that are not in any dictionaries in this world!
For example, try something like “kerabarunintolus” which last time I checked, does not exist. :p It is a ridiculous word and has no meaning or effect or any value to you and your life, I know, but nobody else knew about it. And just for good measure, turn it into “K3r@B@rUn1nT0lu5”.
3. The last one is perhaps just as important. Never use the same password elsewhere.
You cannot guarantee the security of that same password in another service, where it is also being used. For example, you may like “K3r@B@rUn1nT0lu5” so much, you also used it as a password for a lame PHP MySQL-based forum site. And guess what, the sysadmin of that little warez forum happens to store all passwords in clear ASCII. :p Now, a good password has been compromised. And based on the Gmail address you used to register to the forum, it is a safe bet that the sysadmin will assume you have been using the same password as well. Imagine if you use the same password everywhere!
That’s it for today. InsyaAllah, in my next entry, I’ll be writing about why hackers are so eager to crack Gmail accounts. What in it for them? What do they expect to find in other people’s Gmail? This is going to be interesting.
Until then, safe surfing!