Ask Leo: Is Changing My Password Enough?


By Leo Notenboom

I regularly hear from people who’ve had their email or other online account
compromised, who somehow are able to recover access to it and change their
password, only to have the account stolen almost immediately again.

The problem is actually quite simple, though the solution is a bit of

First, you have to realize that while someone else has access to your account
they have access to everything related to that account.

Second, you have to realize that because of that, changing your password
just isn’t enough

You authenticate with most online systems by providing a user name and a
password. Your username might well be publicly visible, but your password
should be known only to you.

Most systems also provide a mechanism whereby you can recover or reset your
password should you forget it. They use a variety of means, but they all boil
down to the same thing: they use one or more additional pieces of information
to validate that you are who you say you are, and then reset or reissue your

“It’s those ‘additional pieces of information’ that
present the greatest risk once your account has been compromised.”

It’s those “additional pieces of information” that present the greatest risk
once your account has been compromised.

Let’s look at some examples of what I mean, why they’re a risk, and what you
should do about each in addition to changing your password.


[This post is excerpted with Leo’s permission from his Ask Leo blog.]

Leo Notenboom has been involved in the tech industry for nearly 30 years. After retiring from an 18 year career as a Microsoft Software Engineer Leo went on to create Ask Leo!, a free web site where he answers real questions from ordinary computer users.

FaceBook URL: Leo’s Facebook

Twitter URL:

 878 total views,  1 views today

(Visited 1 times, 1 visits today)

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.