“Hacking” in some form or other happens to just about everybody at some point! It has happened to me and it has happened to very experienced web and security professionals, as I discovered in chasing down what had happened to me. The best you can do is try to minimize the damage that will be done. I learned of my damage when I received a blackmailing email that threatened to expose my questionable online activities unless I paid 400 Bitcoin to a link that was embedded in the email. Fortunately there are no questionable activities to expose.
The email contained my oldest existing email address (which is now gone) and a previous password which I hadn’t used for several years. I learned that the address and password had been stolen in an attack on some website to which I had previously subscribed. Email (or username) and password combinations are offered for sale in lists after they have been stolen.
I replaced the old email address with a new one (a bit of a process with notifications and log-in changes) and reviewed all of my current passwords to ensure that they all meet the following policy.
A couple of years ago after making myself more familiar with web security I created a new password policy for myself.
- I never use the same password on multiple sites;
- My passwords are between about 16 and 24 random characters, generally as long as a website will accept;
- I use a password manager to remember these for me and use a long, complex but memorable password for that;
- I have my computer, phone and tablet set to sleep after a short period of inactivity and to require a complex password for reawakening;
- I change my passwords at random intervals – the password manager generates long, difficult passwords;
- I check the strength of my collection of passwords with a utility in the password manager and last time I checked they were in the top 10%.
Frankly, it’s a bit of a pain sometimes, but it’s much less of a pain than discovering that someone has found a viable password combination and used it to steal from me.