Photo (cc) by Davide Restivo
Email is often a central link to most of our online lives.
When we forget a password, we can reset it by email. We keep records of transactions there — often full of links to our other accounts. We have contact lists and personal information.
All of this could be valuable if a hacker figured out the password. A research team at the University of Illinois at Chicago wants to demonstrate just how valuable.
They’ve built a free tool called Cloudsweeper, which can search your Gmail account for links to other accounts and find any instances where you’ve been emailed your password in plain text.
If you have the bad habit of using the same password in multiple places — and one of them happens to have emailed you that password in the body of an email at some point — a hacker could use it to gain access to any of those accounts.
I tried the scan. It found 149 possible passwords in 704 messages. Many of them weren’t things I recognized as passwords (it will block out all but the first and last characters), but a few were. Enough to scare me a bit.
I used the tool to encrypt those passwords, which took a while but means they would be unintelligible to hackers without a special gibberish password, which the site creates so I can unlock them. In the example they give, a password that would normally show in an email would instead display as something like “[wImYDaM5DBJZqgLrSYekjQ== ZmwDVbzid7+7LQ6R3uDj+xPnDt1nuxEFDJTxhKPh5T0=]”. (The code to reveal it is a similar mess.) There is also an option to permanently delete the passwords, but I figured I might need one of them eventually.
Cloudsweeper also tells me my email would be worth $28.30 on the hacker black market, and breaks down that value. Because my email is linked to my Amazon account, for instance, that’s worth $15. Apple is worth $8, and Facebook is worth $5. The researchers base the values on actual “recent underground prices” they found.
The researchers recommend users change passwords they’ve reused, especially at insecure sites that email them to you in plain text on request. They also recommend using two factor authentication, which would require a hacker to have both your phone and your email password to get in. You can enable that for your Google account here.