How Web Accounts Get Hacked

Ryan D. Lang
Apr 19, 2011
Updated • Feb 26, 2014

Hacking into an e-mail, Facebook, or other account is often a crime of opportunity. That is not to say talented individuals with advanced knowledge are not a threat, but it can be easier than you think to expose your password. For those that have had their account compromised in the past, one of these methods could have been used to get your password.

The following is a short list of simple things you may not think about. In each, an opportunity is created... one you want to avoid. The idea is to tell you what not to do and why. Some advanced methods, like phishing attacks, are a bit more complicated than what is covered here.

1. Recovery E-mail Accounts Can Expire

A recovery e-mail account is method a lot of systems use to help you get back into an account that you have lost the password for. This could be for a site like Facebook or for another e-mail account like Gmail. The idea is simple. You ask the site to send you your password (some will just reset it). The site says: "Sure, it's been e-mailed to you." As long as you have access to that other account, you are just fine and dandy.

Check your recovery e-mail account every three months or so. If you do not, the account may be deleted. Someone else can now claim it. If someone claims that account accidentally and you reset your password, then you just lost control of your main account. If it was on purpose, then the next step is to simply go through the password recovery process.

My advice is to check this account before reading any further if you have not done so recently. This is the one tip that I found I had not followed when I heard about it. Fortunately, I grabbed the accounts back before someone else did.

2. Avoid Duplicate Passwords

An easy way to get hacked is to give a site your e-mail address and then use the same password at that site. The same goes if you use the same user name and password at two or more sites. If the site does not encrypt the password, then there is a huge problem. Anyone who works for the site and has access to this information (or gains it) now has everything they need to log-in to your account. While most sites protect passwords, there are still ways for employees to get it. Attacks from within a company are actually the most common. At the least, use a different password for your e-mail account than everything else.

3. Beware Onlookers

Pay attention to your surroundings. A person standing behind you as you sign in to a website may not be as casual as they seem. In age where so many phones and MP3 players can record video, they don't even need to be facing you. If a person sees you enter your password, there is a good chance they can remember it.

4. Use Public Computers Differently

Watch the settings you use on public computers and always remember to sign out. Be sure to double check this. Most of us have formed habits from using personal computers. We often leave that little box checked "Remember me." underneath the sign in box. Some may click "Yes" to "Do you want to save this password?" after they log in. Forgetting to click "log off" when a session is finished is common place. This is convenient when it is a personal machine, but disastrous on a public machine. Your account is now as easy for someone else to get into as if it was their own personal machine. There are ways to steal passwords that are saved too.

5. Only Use Trustworthy Computers

Trust the computer you are using as much as you trust the owner. By trust, I refer to both the integrity and the aptitude of the person. For a person who lacks integrity, they may intentionally have software running that records what keys you press (called a "keylogger"). Companies in the U.S. can legally install them on any computer they own. For a person who lacks aptitude, they may unknowingly have spyware on there machine. Spyware can sometimes have the same abilities as a keylogger. In either case, once you use that computer to quick check your FaceBook, your account is compromised. If you used that password for you e-mail or banking, you have a larger problem.

6. Avoid Commonly Used Passwords

Do not use the name of your pet, child, team, favorite color, date, etc. as a password. Never use "password" as a password. Too many people use "123456" (at least at hotmail and rockyou). All of these are easy to guess. A cracking tool is not required to figure them out.

7. Guard Written Passwords

If you choose to write down a password, protect it like your life savings. Would you leave twenty dollar bills sitting around? Your password is much more valuable than that if it is used for your bank account. Nevertheless, I see passwords siting out in the open. It is not a bad idea to never write down your passwords, but the problems of that are obvious. There is no shame in writing them down, but keep them in a safe place... I'm thinking a safety deposit box at the bank.


In summary, while most of this stuff is common sense, I hope to help a few people avoid having their accounts compromised. Whether a person is just curious, or they have been a victim of the experience, it is only natural to ask how these things happen.

Lastly, remember the first rule of passwords: don't ever give them out or share them!


Previous Post: «
Next Post: «


  1. Mypasswordis12345 said on April 19, 2011 at 6:41 pm

    very good summary of the question thanks !

    1. Ryan D. Lang said on April 19, 2011 at 7:31 pm

      You’re welcome. Btw, ever seen Space Balls?

      1. Martin Brinkmann said on April 20, 2011 at 12:07 am

        Hehe that’s funny.

  2. Dany said on April 19, 2011 at 4:28 pm

    Recovery E-mail Accounts Can Expire.
    Thanks for the reminder.

    1. Ryan D. Lang said on April 19, 2011 at 7:18 pm

      Ya, that point isn’t mentioned enough. Since we only use the one main account, we can easily forget to maintain the other.

  3. David Macdonald Ajang said on April 19, 2011 at 4:03 pm

    And always keep your AV up-to-date to avoid password stealer trojans and keyloggers from infecting your computer.

    1. Ryan D. Lang said on April 19, 2011 at 7:14 pm

      Very true. That ties right into “Only Use Trustworthy Computers” too.

  4. SFdude said on April 19, 2011 at 11:44 am

    Very good points to remember, Martin.

    Thks for this post!

    1. Ryan D. Lang said on April 19, 2011 at 7:13 pm

      Martin is the editor. He valued provides direction gives final approval. I’m actually the writer. I really have to fill out that “About the Author” blurb. 8)

  5. argo said on April 19, 2011 at 10:52 am

    don’t know.

    I found bookmarks sync a little slow on big amount of bookmarks (I got for 1.5 Mb more or less) if compared to other services. So I’ve preferred usyng dropbox and update manually.

    1. Martin Brinkmann said on April 19, 2011 at 10:53 am

      wrong article?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.