1. Computing
About.com
Email
Avoid Web-Based Email Password Theft
Part 1: Web-based email accounts are a target for password theft. Find out how they do that and what you can do to avoid spreading a worm.
 More of this Feature
• Part 2: Session Time-Out Log-In Screens and Avoiding Them
 
 Join the Discussion
• Recent Discussions
 
 Related Resources
• Free Email Accounts
 
  Free Newsletter
Your email address:

Web-Based Email

Web-based email accounts are a convenient -- and free -- service. They offer email from everywhere for everybody. They have, however, an inherent security problem. It is not so much the risk of hackers that break into the service's servers where your email messages are stored.

The risk rather stems from both the popularity of these services and from the way free Web-based email accounts are protected. Web-based email services are popular: not only do they attract millions of users but also a number of people who are, for whatever reason, interested in the million's email messages.

How Web-Based Email Accounts are Protected

How do you log into your favorite free email service? What do you need to get to read the latest from your online love (which, supposedly will be different from your real (?) love in a number of ways)?

You need nothing but your account name or number and your password to log in, which you do via a log-in screen. Here, on the log-in screen is already where the security problems begin.

Fake Log-In Screens

A page that mimics the looks and behavior of this log-in screen of your Web-based email service can easily grab your password. You would usually type in your user name and password here, wouldn't you?

Fortunately, such pages, while relatively easy to develop are relatively hard to get in place. If you go to your Web-based email's home page to log in -- to http://www.hotmail.com/ for example -- the URL in your browser's address bar translates to an IP address, a combination of numbers unique on the whole Internet for exactly the page you are opening.

To replace the "real" service provider's home page with a fake log-in screen, you would have to change the IP address the URL stands for. This is not all that simple and only temporarily possible.

While fake log-in screens would be a near-perfect way to acquire a lot of user names and accompanying passwords, they are not easy to set up. If you log in to your Web-based email service at its home page, there is little risk of giving your password in a third party's hands.

Next page > Session Time-Out Log-In Screens and Avoiding Them > Page 1, 2

Discuss in my forum

©2013 About.com. All rights reserved.