Let’s start with why it is really really really bad!
Say someone with a criminal mind had access to your inbox right now. What if they did searches for “direct deposit”, “order number”, “receipt” , “password, “account”, “autopay”, “invoice” or “payment”?
How easy would it be to know where you work, bank, shop, and play by looking in your inbox, sent and trash folders? What could they figure out about your kids, their school, your parents, friends, coworkers etc. What addresses would they have? Phone numbers? Schedules? Website links?
They might also have access to things like tax returns, account statements, medical records, resumes that have gone through your email account. All of which have information that can be combined with other sources to piece together your life.
Once the hacker collects all this info they will try to access your web accounts with the password they just hacked. But if that doesn’t work they can leverage the “forgot my password” until they find one that sends the password instead of resetting it. Then that password will get used on everything to see what other sites use it. Hackers are tenacious and will chip away day after day undetected until they have everything they want.
When all else fails they can reset your passwords and login as you and hijack your entire online existence. They can shut down balance alerts, start moving money around, send emails in your name asking your contacts to click on links that are back doors into their lives. They will create new accounts with your email and delete all the confirmations from your inbox so you have no idea these accounts exists and use them for as long as they need. With your email and passwords, they can do pretty much do what they want.
Bottom-line, a criminal having access to your inbox is not good and opens you up for all kinds of headaches and embarrassment that can take years to recover.
So who is really at risk?
Anyone on gmail for business or office 365 are in a much better place than a small company that has their own email server because these services know they are a huge target and keep on the cutting edge to stay in front of the evil and do a great job. A hacker getting access to your password with a brute force attack on your cloud account is probably low.
But, if you have your own email server and are not a Fortune 500 company with a multimillion dollar IT budget you are crazy to think you’re safe and you are not dealing with “if you get hacked” it’s “when you get hacked” which is why I don’t even deal with self-hosted email servers anymore (unless you are paying me to migrate them to the cloud).
Do I really need to worry about my email getting hacked? No one will guess my password.
So here is the deal, hackers don’t try and “guess” your password. (Ro)Bot Software does all the guessing using lists of every dictionary in the world with all the misspellings and possible combinations. When they run this software against your system it is called a “Brute Force Attack” and can process millions of guesses per second which is why many website have password rules like must be 8-12 characters and contain numbers making it harder for these programs to cipher your password.
There are two main things that affect the strength of your password. First one is LENGTH, second is COMPLEXITY.
So if you have a short simple password that can be found in a dictionary or a baby’s name book these bots can “guess” them almost INSTANTLY!
Why longer passwords are better.
A password with 8 characters has 218,340,105,584,896 or 628 combinations when using a mixture of numbers (10) and letters (52). A password with 9 characters (629) has 13,537,086,546,263,552 combinations which is almost double with 13,318,746,440,678,656 more combinations just by just adding one character to your password. So it might seem like only one small addition but it makes an exponential difference.
However, don’t let these enormous numbers fool you. If your password lacks complexity it still can easily get hacked!
Don’t use PASSWORDS use a PASSPHRASE!
When I first started using passwords I used my childhood dog’s name, “georgia“. As the years past and password requirements grew it became “Georgia1” then “Georgia0ne” then up to the day I published this article it was the PHRASE “GeorgiaOnemy1stPooch“.
GeorgiaOnemy1stPooch is long, complex with lower case, upper case and a number. I could have added a special character but a mixed case 20-character passphrase is pretty solid according to www.howsecureismypassword.net
Georgia will get hacked instantly
Georgia1 will take 2 days to crack
Georgia0ne will take 8 months to crack
GeorgiaOnemy1stPooch 558 QUADRILLION YEARS
A password that takes 558 quadrillion years to hack is virtually un-hackable (with today’s technology).
Don’t use the same passwords for everything. Make your passwords passphrases that are long and complex. Change them often and protect your email passwords. Your life might depend on it.