1. Pick a strong password for your Google Account (in many cases, your Gmail address). Strong = not something you use everywhere else, a combination of letters and numbers, and at least one symbol in there is ideal. (Here are some tips on picking a good password if you need some ideas.)
2. Make sure your Google Account recovery options are set - visit the account recovery options page and make sure you have a backup e-mail address, and that your mobile number is listed on your account. Should you ever lose access to your account, these will be instrumental in restoring access.
3. Set up Two Step Authentication on your Google Account. Details are here, you can set it up by starting at this link. What this does is block anyone else from logging into your account - even if they have your username and password. This requires you to have access to a physical device - your iPhone, Android or Blackberry phone - to ensure that you are really you. This may seem like overkill - but it's a key step to ensuring that your account is secure. There are ways committed hackers can discover your password - even if they get it they won't be able to do anything with it unless they also have your phone. Go through the process of installing the app on your phone (this page has the download link and instructions for setting it up); once done, here's how it will work:
- the first time after you enable this, Google will ask you to log in. You'll provide your username and password, then Google will ask you for your "verification code". Launch the Google Authenticator app on your phone, and then type in the six-digit code from the phone into the verification code box in your browser.
- if this is your computer, check the box "remember verification for this computer for 30 days" before clicking verify... you won't need to provide the verification for a month. (If it's a shared computer, don't check this!)
- You'll see this anytime you try logging in from another computer (i.e., your laptop, your work computer, the iPad, etc.) - it's a bit more cumbersome (just a bit), but the advantage is that your account is far more secure than just a username/password. It's worth it.
5. Check to see what applications/services you've authorized to have access to your Google Account. Go here and see what websites/applications are listed - these are services who you previously granted access to your Google Account. If there are any there you no longer use, or sites you didn't intend to authorize, click revoke. (I'll come back to this later - as you centralize your e-mail, address book, calendar, etc. on your Google Account, authorizing other services to access this info can be very powerful - but you will want to use discretion in deciding which services get access to this data. It probably goes without saying - only grant access to trustworthy sites who you have absolute faith will not compromise the integrity of your data.)
6. Phone: if you don't already have a passcode on your phone, turn it on so that someone getting possession of your phone can't use it without knowing your passcode. (Otherwise anyone getting the phone can read your mail, receive "forgotten password" e-mails that would help them reset passwords on your account(s), etc.)
If you do those things, you'll have dramatically increased the security of your information online, and prevented any ongoing security problems. Now here are some best practices to keep in mind:
1. Try and use your Google Account when you log in to other services. When prompted to create a new account, look for a "login with Google" option. This will allow you to use your Google identity on those sites - not only is this simpler for you (one less username/password to remember!), it's also more useful (the service can access your contacts/information, helping you avoid having to manually enter more info) and it's more secure (when you're through with the site, you simply revoke its access to your info).
2. NEVER manually type your Google account information (username/password) into a webpage that is not owned/provided by Google. If you do this, you have no guarantee that the middle-man you've just shared your credentials with will protect that info. (This is why, by the way, Google's 2 step authentication is so useful - even if you did this, your info would be useless without the phone verification code. So long as you retain control of that, you're safe!) Whenever you're asked to login w/Google, the right way to do this is for them to send you to Google (look in your browser's address bar: is the URL google.com?), where you are asked to login if you're not already logged in, then you are asked whether you want to grant access to the referring app. Say OK, and you'll be returned to the app, which is now approved by Google.
3. Keep an eye on Gmail's "last account activity" feature if you're concerned that someone else may be accessing your account. Towards the bottom of the page in Gmail you'll see something that says "last account activity". Click "Details" to see a report of where your account is being accessed from; you can sign out all other sessions from that page, as well as review the actual location/IP address of any other computers accessing your account. (Gmail keeps an eye on this as well, and may contact you if suspicious activity is detected.)
4. Don't e-mail sensitive files as attachments. Upload the files you want to share to Google Docs, and use Docs to control access to the files. Ideally you will share the file with a Google Account user. This is the most secure, and is helpful in the event you ever want to stop sharing with that user - you simply remove them from the list of people who can view the file. If that's not an option - the user doesn't have a Google Account, for instance - you can set the document's visibility to 'anyone with the link'. This has some risks - the person you share with can share the link with someone else - but you retain control of the document, which means you can delete it, or update the security settings to require login to view... either of which is much more secure than files you e-mail as attachments, which you lose control of the minute you hit 'send'. And whatever you do, be smart about who you e-mail those files (links or otherwise) to in the first place.
5. Don't send passwords in e-mail. While Gmail uses https to encrypt all traffic between your browser and the Gmail server, there's no guarantee that the recipients of your e-mails containing passwords are similarly secure.
If you've hit this point and you're wondering whether there's even more you could read (!), swing by the 2010 and 2009 tips and tricks that Google compiled for National Cyber Security Awareness Month, and this page has some additional tips for keeping your info secure.
Any other tips for keeping your account secure?