Your mailbox is a precious place; it contains information about your customers, your suppliers, perhaps even your loved ones, so it deserves to be secure against prying eyes. Hackers are targeting mailboxes more and more frequently due to email addresses being available in plain text on websites, social media pages and malware picking up address books. Email addresses are everywhere, so an attacker already has half of the information required to access your mailbox, the other half is your password.

Recent attacks

Attackers have recently started brute forcing their way into mailboxes and setting up forwarding rules so that another email address receives a copy of every single email the original recipient receives without the user’s knowledge. This could have severe consequences with GDPR legislation as personal information could end up with someone that it was not intended for.

Another company recently lost a large sum of money because an attacker got into a mailbox, went through sent messages and found an email to the company’s bank manager. The email had a Word document attached that had been signed by one of the company’s representatives. The attacker copied this letter, adjusted the payment details to go to another account, and then sent the letter to the bank manager who paid them the money as the letter looked so legitimate.

Creating a strong password

Whether you like it or not, there is information about you on the internet that attackers can find, so do not use guessable information in your password such as names, birthdays, anniversaries, sequences or old passwords/reused passwords. The longer your password is, the longer it will take a brute force attack to guess it.

With current computing power, a 9 character password without a symbol can be cracked in around 2 minutes, whereas a 13 character password without a symbol will take around 64 years of constant computational guessing to crack.

The strongest passwords consist of random words, not just random letters, including numbers and symbols. A password like “a85jp;35!” is difficult to remember, but can be cracked in minutes whereas a password like “Desk30Monitor!” will take over 100 years to crack, yet it is a lot easier to remember.

Password safety

Your password is personal to you, so no one else should ever know it, not even your IT provider! Do not ever write down your password, if you struggle to remember it then write down a hint in your phone (which should be protected with fingerprint access or a PIN code), not on a post-it you hide under the keyboard or stick on your monitor.

Do not re-use passwords. If a website that you’ve used the same password on gets breached, the first thing that attackers do is try that same email address and password combination on all other popular websites to see if they can get access to more information about you.

Extra protection

If a website gives you the option, setup 2 Factor Authentication (sometimes known as Multi Factor Authentication) which is usually a free service. It will require another piece of information as well as your password when you login. The second piece of information can be sent to you via SMS, or simply a notification via an app on your mobile phone that you need to accept in order to login.

A second option is to use a password manager that will generate random passwords for every website you use. This way if one of your accounts gets compromised, then none of your other accounts can be accessed with the same details. Just remember; never tell anyone the password to your password manager or any of your account passwords.

Best protection

The best protection you can have is a strong, secure password and use 2 Factor Authentication in addition to a password. For an attacker to gain access, they will then need your email address (easily obtainable), password (strong and secure enough so it can’t be guessed) and your mobile phone (which will need a PIN or fingerprint to access it). This does not make your account “unhackable”, but it will take so long to be able to brute force your account that no attacker will have the lifespan or patience to do it.

We can of course help to setup password policies and 2 Factor Authentication where available, so please contact us if this is something you’d like to review.