How to Protect Your Password From Getting Stolen

Did someone get your password? Here's how to prevent it from happening again

Laptop Use
TEK IMAGE/SCIENCE PHOTO LIBRARY / Getty Images

Unfortunately, hacking into someone's web-based email account is easier than most people realize, and hackers go about it in a few different ways. Sometimes, they use a well-known method calling phishing. Some hackers guess passwords outright or use a password reset tool to create a new password without your knowledge and consent. The best way to learn how to protect your password from thieves is to understand how they steal passwords.

How Hackers Steal Passwords

Hackers frequently steal passwords using a technique called phishing — in which the hacker sends an official-looking email that directs a victim to a fake website or form. The victim enters a password on the fake site, which the hacker can then access.

For example, a hacker might send someone an email that says that the recipient's bank account password is too weak and needs to be replaced. The email would then direct the victim to a fraudulent website that can look remarkably like the site it's mimicking.

When the user clicks the link and lands on the page, he enters his email address and password, probably without ever suspecting anything is amiss. When he enters the data into the form, the hacker might gets an email that contains the account info and password — along with full access to his bank account. A hacker could then log in as the victim, see his bank transactions, move money around, and maybe even write online checks.

The same concept applies to any website that uses a login, such as an email provider, credit card company, social media website, etc. If a hacker steals someone's online backup service password, for example, she can now see every file backed up and download them to her own computer, read the victim's secret documents, view pictures, etc.

A hacker can also gain access to someone's account by using the website's password reset tool. This tool is meant to help the user remember his password — but if a hacker knows the answers to the user's secret questions, he can reset the password and then log in to the account with the new password he created.

Yet another method to hack someone's account is to simply guess the password. If your password is based on personal details (for example, a birthday, address, or phone number) or other simple phrasing, a hacker can get right in without any hesitation and without you even knowing.

Spotting a Hack Job

Each time you get an email about resetting your password, check the sender's email address to make sure the domain name is real. It usually looks like "something@websitename.com." For example, "support@bank.com" typically would indicate that you're getting the email from Bank.com. Hackers can spoof email addresses, though, — meaning the sending address can be faked.

What to Do

Your best defense against password phishing is knowing what your banking sites look like, so you can spot fakes. If you know what to look for and are suspicious by default each time you enter your password online, you'll go a long way in preventing successful phishing attempts. There are a few other precautions you can take, too.

  • When you open a link in an email, check that the web browser resolves the link properly. If, say, a "whatever.bank.com" link changes to "somethingelse.org," exit the page immediately.
  • Check that the first letters in the URL are "https." The "s" indicates that it's a secure site; never enter any financial details at a site that is not secure.
  • If you get an email with a suspicious link, type the website URL directly into the navigation bar, rather than clicking the link.
  • Set up two-factor (or 2-step) authentication (if the website supports it) so that, each time you log in, you need both your password and a code. You'll receive the code via your email or your phone, so the hacker would need both your password and access to your email account or phone.
  • Choose complex questions for password reset security checks, or simply avoid answering them truthfully so guessing would be nearly impossible for a hacker. For example, if one of the questions is "In what town was my first job?", answer it with a password of sorts, such as "topekaKSt0wn," or even something completely unrelated and random like "UJTwUf9e."
  • This sounds obvious, but you'd be surprised at how many people have very simple passwords. Change those if you have them. Include capital letters, numbers, and special characters such a punctuation marks. If you have a very strong, secure password, chances are even you can't remember it (which is good); try using a free password manager so that you don't have to remember all of them. Google's Chrome browser has a secure password manager built right in.
  • Store sensitive information like your credit card or bank details only within online accounts hosted by companies you trust.
  • For online purchases, consider using PayPal (which offers another layer of protection). Another solution: Use a temporary or reloadable card so there's no balance a hacker can access.