My email account compromised - advice?

[Rugrat]

Use BT Internet and had notification that my email account has been accessed from Nigeria. If not me then suggest change p/w.

I've done that but worried because if they got the previous one then however they did it means they can get the new one. More worrying they can get any p/w to bank, cards etc. I'm not daft enough to write them down anywhere so I'm wondering just how they got it and how safe the others are.

Anyone got any experience of this?

 

[KJP]

The notification is probably a scam

 

[Rugrat]

The notification is probably a scam

No. It wasn't an email it was in their "notifications" tab. You can log in and see all account activity, when accessed from where etc. showed all my log ins for the past 30 days or so and there was the Nigeria event (about 5 days ago)

 

[Bozza]

1. Change your password ASAP. Make the password strong - use all of lower case, upper case, numbers and punctuation.

2. For important services, and your primary email address is one of those, use a different password than you use anywhere else. That means, say, if someone compromises your Facebook account, they can't immediately access your email account.

 

[beorhthelm]

check your PC for spyware or malware BEFORE you change password, or do so and change again. if you use public PCs, including work, consider if they are properly secure. dont use the same passwd for different forums/services/accounts. but dont be too fussy about passwords either, simple memorable ones for forums, strong ones for bank/key email. use a couple of email addresses, with one "disposeable" for signing up to stuff you dont care. consider if you sign upto a forum or service that they may not be trustworthy/competent and the details you use may be compromised.

see this advice on strong passwords.

 

[Rugrat]

1. Change your password ASAP. Make the password strong - use all of lower case, upper case, numbers and punctuation.

2. For important services, and your primary email address is one of those, use a different password than you use anywhere else. That means, say, if someone compromises your Facebook account, they can't immediately access your email account.

check your PC for spyware or malware BEFORE you change password, or do so and change again. if you use public PCs, including work, consider if they are properly secure. dont use the same passwd for different forums/services/accounts. but dont be too fussy about passwords either, simple memorable ones for forums, strong ones for bank/key email. use a couple of email addresses, with one "disposeable" for signing up to stuff you dont care. consider if you sign upto a forum or service that they may not be trustworthy/competent and the details you use may be compromised.

see this advice on strong passwords.

Thanks ... will do. Is there a recom for checking spyware/malware? I have AVG (free) installed but assume there is something a bit more specialist to run one time?

 

[El Presidente]

In relation to passwords, are there any apps/pieces of software that generate good passwords and act as a 'wallet' for you to store all of them in?

 

[beorhthelm]

Spybot and Adware are well known. AVG is ok but focused on virus. need to think about likely places, real or online, where you've used you password recently. if you used a cyber cafe or signed up to a site with your noraml user/password thats probably where they got details from.

 

[Rugrat]

Spybot and Adware are well known. AVG is ok but focused on virus. need to think about likely places, real or online, where you've used you password recently. if you used a cyber cafe or signed up to a site with your noraml user/password thats probably where they got details from.

Ta, know spybot will run that and will pay a bit more attention to passwords as your prev

 

[beorhthelm]

In relation to passwords, are there any apps/pieces of software that generate good passwords and act as a 'wallet' for you to store all of them in?

there are, but there's two problems with this approach. firstly compromise the wallet and all your passwords are known instantly. you are probably better off writing them down at home (less likly to burgled and you can hide the relation to site/usernames somehow). password generators are fine but tend to create random strings that are horrible to remember. better to use a random word generator and string two or three together 12-15 char minimum where it matters. really, the many target is to not be obvious (so "golfgti" on a golf forum would be stupid) or common ("password" is ridiculously common apparently), the hackers will move onto low handing fruit. unless you've been compromised with a keylogger in which case its acedemic what the strength of the password is.

 

[Triggaaar]

1. Change your password ASAP. Make the password strong - use all of lower case, upper case, numbers and punctuation.

see this advice on strong passwords.

These two bits of advice seem to be conflicting.

 

[StonehamPark]

People forgetting Security Questions here.

Change Passwords & Security Question/s.

 

[Rugrat]

These two bits of advice seem to be conflicting.

Y, they seem to?

 

[CheeseRolls]

Have to say I don't use any of these products. Mainly because I use a mixture of Windows, android and sometimes linux. Cross platform licensing seems to get too expensive. Apple only folks should consider onepassword from agilebits.

 

[DanielT]

Have to say I don't use any of these products. Mainly because I use a mixture of Windows, android and sometimes linux. Cross platform licensing seems to get too expensive. Apple only folks should consider onepassword from agilebits.

I use lastpass across all platforms (except apple because [insert can of worms here])

Only reported problem wasn't a problem just the development team being extremely paranoid.

 

[Spimunk]

Last Pass

I use a service called Last Pass https://lastpass.com/index.php?fromwebsite=1 and find it great. It has a browser plug in for all the major browsers and a login link for mobile devices such as iOS, Android etc and all you do is change your password on the sites you use by creating a random secure password for each one so each site has its own password but instead of needing to remember or write these all down, you use your master password for Last Pass to login to their service and hit the browser plug in button or bookmark on a mobile device and it logs you in as long as you've saved the details within Last Pass

 

[Bozza]

These two bits of advice seem to be conflicting.

Both will be sufficiently strong. Passwords are rarely cracked by brute force as most systems protect against this.

The 3 random word approach falls down when a system forces you to use mixed character sets.

 

[Bozza]

I use a service called Last Pass https://lastpass.com/index.php?fromwebsite=1 and find it great. It has a browser plug in for all the major browsers and a login link for mobile devices such as iOS, Android etc and all you do is change your password on the sites you use by creating a random secure password for each one so each site has its own password but instead of needing to remember or write these all down, you use your master password for Last Pass to login to their service and hit the browser plug in button or bookmark on a mobile device and it logs you in as long as you've saved the details within Last Pass

http://www.pcworld.com/article/227268/lastpass_ceo_exclusive_interview.html

 

[Dominoid]

These two bits of advice seem to be conflicting.

Bozza's suggestion is the common practice in IT, however I agree with XKCD that using a combination of unrelated words is easier to remember with a potentially better level of security than a shorter random character password.

Also it's worth noting that writing down passwords at home is unlikely to get them stolen. The types of criminal that break into houses and the type that steal data are seldom one and the same. If a burglar sees a post it note with a password near your computer they will generally only take it if its attached to something they are stealing.

 

[ridda]

http://www.malwarebytes.org/products/malwarebytes_free/
Very effective and free.