There's a blog entry
that talks about account security.
It does this because we've had a wave of account-hackings followed by hackers deactivating the account lately. This sucks, in large part because there's very little we can do about it. Let me explain...
The source of the hacking is mostly bad passwords and insecure email addresses. There's probably also some more-elaborate social hacking going on, but every case I'm personally aware of has either involved an easily-guessed password or a broken-into email account.
If someone knows your password or has access to your email, we cannot tell that they're not you. At least, not in a way that would distinguish from you trying to log on from a friend's house... we can see that you're connecting from a new IP address, but we don't know what that means
. For the purpose of your online identity, your email account is
you; it is the master key to all of your other accounts.
If your password is "123456
" or anything else on a list like this
, change it. If your password is the same as your username, or your real name, change it.
If your email address is visible on your profile, and it's on hotmail, stop using hotmail if at all possible. Hotmail is a curse upon both our houses. Largely because if you're inactive for a little while then they'll return your address to the pool of available addresses and someone else can register it. If it's not on hotmail, at least make sure you have a decent password.
The "security questions" on your email account are also your password. If they're easily guessed by someone who can look at publicly available information about you, that lets them steal your account. "What is my mother's maiden name?", "Where did I go to high school?", etc... these are researchable
, at least if you have enough information available on your profile to provide a starting point.
Of course, security questions are only a vulnerability if you're being personally targeted. Someone who just wants to hack as many accounts as possible would run around trying common passwords and give up on anyone who wasn't vulnerable to that. Still, it's worth worrying about.
doing some things on our end to protect against session hijacking or people using your account when they have access to your computer while you're logged in.
- We're making sure that there's no loopholes that let you change your password or email address without providing your current password.
- We're making account deactivation reversible, so there's not a quick one-button way to wipe you out.
- We're increasing password standards, so in the future users won't be so vulnerable to having their password guessed.
But none of this can protect you if they get your email account. Which is why this is a very annoying problem for us.