Some tips after someone could have tried to hack my email accounts

Last Thursday I received an email from Google notifying me that someone had logged in on a new device with one of my emails. As it was an old email and I was busy, I didn’t do anything. A few hours later I received another email notifying me that someone had logged in on a new device with my personal email. At that moment I got scared, I entered quickly to both Google Accounts and I changed their passwords.

Reviewing the emails that Google sent me, I could see that someone using a Windows computer from Las Vegas had entered once to my email accounts. It seemed really weird. There were no emails sent nor received. If someone had really tried to hack me, he should have done something like changing the password or getting passwords from external services.

New security setup

Anyway, changing my passwords was long overdue. I had it in my mind for almost a year. This has forced me to rethink my security setup. I’ve been reading articles all morning and I’ve been setting up the new configuration. I’m not going to describe my choices here, but I can share many tips:

  • Use a Password Manager for almost all your passwords (except your email). There are many great availables: LastPass, Dashlane, Sticky Password, LogMeOnce, etc. They are worth the money.
  • Download their plugin for Chrome/Safari/IE and their app for your mobile.
  • Once you have set up them, go to your most visited websites (except your main email accounts) and change their passwords. Use generated passwords (>12 characters, letters, numbers and symbols), don’t know any of them.
  • For months you will be entering websites where you had an account. Before doing there what you needed to do, generate a new password and save it on the Password Manager.
  • Remove all your saved passwords from Google Chrome and Apple Keychain. Just have your passwords in the Password Manager.

Building a safe Master Password

If you do this, you will only have to remember the master password for your Password Manager and a password for each of your main emails. This is my recommendation to build and remember them:

  1. Think of a phrase (“My family and I used to go to Barcelona on Christmas”) and pick some letters from each word. They can be the first, the second or some mix. Some of them should be in uppercase.
  2. Add numbers in the middle, replacing or not some letters. Don’t replace the usual (e for 3, i for 1, o for 0…).
  3. Add some symbols.

Following that example, we could have build m1F&IutogtoBonC9. It has a good mix, it’s memorable for me but intelligible for you and it’s long enough.

You have the option of having a complete different master password for your Password Manager and your main emails or you could add/remove something from that base (never use the same!). A simple example would be adding the second and penultimate letters of the service to the middle of the word.

  • If it were for LastPass, I would add an a and an s. For example: m1aF&IutogtoBonC9s.
  • If it were for Gmail, I would add an m and an i. For example: m1mF&IutogtoBonC9i.

Two-steps authentication

After changing your email passwords, you should enable two-steps authentication on your most important accounts (Google Apps, Twitter, Github, Password Manager, etc).

With this approach, if a website is hacked and it didn’t store safely our passwords, our other passwords aren’t compromised as they don’t follow a pattern. In the case that one of our email passwords is compromised (phishing), neither the Password Manager nor the rest aren’t (unless the changes that you did to the base were obvious).

Now that I’ve entered my new passwords 30+ times on both my laptop and mobile, I’m used to them and this new security configuration doesn’t seem too overkill ;)

Any other way to improve it?