Thursday, April 21, 2011

Google Account security best practices

A family member recently had some questions about how to keep their Google account secure, and I wrote up a bunch of recommendations for how to stay safe... realized after I sent the e-mail that this was probably good stuff to share for people who might not know about all of the options when it comes to protecting their account. Hope some of you find this helpful!

1. Pick a strong password for your Google Account (in many cases, your Gmail address). Strong = not something you use everywhere else, a combination of letters and numbers, and at least one symbol in there is ideal. (Here are some tips on picking a good password if you need some ideas.)

2. Make sure your Google Account recovery options are set - visit the account recovery options page and make sure you have a backup e-mail address, and that your mobile number is listed on your account. Should you ever lose access to your account, these will be instrumental in restoring access.

3. Set up Two Step Authentication on your Google Account. Details are here, you can set it up by starting at this link. What this does is block anyone else from logging into your account - even if they have your username and password. This requires you to have access to a physical device - your iPhone, Android or Blackberry phone - to ensure that you are really you. This may seem like overkill - but it's a key step to ensuring that your account is secure. There are ways committed hackers can discover your password - even if they get it they won't be able to do anything with it unless they also have your phone. Go through the process of installing the app on your phone (this page has the download link and instructions for setting it up); once done, here's how it will work:

  • the first time after you enable this, Google will ask you to log in. You'll provide your username and password, then Google will ask you for your "verification code". Launch the Google Authenticator app on your phone, and then type in the six-digit code from the phone into the verification code box in your browser.
  • if this is your computer, check the box "remember verification for this computer for 30 days" before clicking verify... you won't need to provide the verification for a month. (If it's a shared computer, don't check this!)
  • You'll see this anytime you try logging in from another computer (i.e., your laptop, your work computer, the iPad, etc.) - it's a bit more cumbersome (just a bit), but the advantage is that your account is far more secure than just a username/password. It's worth it.
4. IMPORTANT: once you've set two step verification up, you may need to change the password for your phone and/or other apps that are communicating with Google's servers. (For instance, I had to do this for iMove this morning when uploading a video to YouTube.) Because these apps don't know how to check for the verification code (they just know username/password), Google has a back-up: an "application specific password" -- you set these up here (see the bottom of the page: "application specific passwords"). Type in a name - say, Nexus S - and then click "generate password". You'll get an auto-generated string of characters, which you will then type into your phone or application's password field for your account.

5. Check to see what applications/services you've authorized to have access to your Google Account. Go here and see what websites/applications are listed - these are services who you previously granted access to your Google Account. If there are any there you no longer use, or sites you didn't intend to authorize, click revoke. (I'll come back to this later - as you centralize your e-mail, address book, calendar, etc. on your Google Account, authorizing other services to access this info can be very powerful - but you will want to use discretion in deciding which services get access to this data. It probably goes without saying - only grant access to trustworthy sites who you have absolute faith will not compromise the integrity of your data.)

6. Phone: if you don't already have a passcode on your phone, turn it on so that someone getting possession of your phone can't use it without knowing your passcode. (Otherwise anyone getting the phone can read your mail, receive "forgotten password" e-mails that would help them reset passwords on your account(s), etc.)

If you do those things, you'll have dramatically increased the security of your information online, and prevented any ongoing security problems. Now here are some best practices to keep in mind:

1. Try and use your Google Account when you log in to other services. When prompted to create a new account, look for a "login with Google" option. This will allow you to use your Google identity on those sites - not only is this simpler for you (one less username/password to remember!), it's also more useful (the service can access your contacts/information, helping you avoid having to manually enter more info) and it's more secure (when you're through with the site, you simply revoke its access to your info).

2. NEVER manually type your Google account information (username/password) into a webpage that is not owned/provided by Google. If you do this, you have no guarantee that the middle-man you've just shared your credentials with will protect that info. (This is why, by the way, Google's 2 step authentication is so useful - even if you did this, your info would be useless without the phone verification code. So long as you retain control of that, you're safe!) Whenever you're asked to login w/Google, the right way to do this is for them to send you to Google (look in your browser's address bar: is the URL, where you are asked to login if you're not already logged in, then you are asked whether you want to grant access to the referring app. Say OK, and you'll be returned to the app, which is now approved by Google.

3. Keep an eye on Gmail's "last account activity" feature if you're concerned that someone else may be accessing your account. Towards the bottom of the page in Gmail you'll see something that says "last account activity". Click "Details" to see a report of where your account is being accessed from; you can sign out all other sessions from that page, as well as review the actual location/IP address of any other computers accessing your account. (Gmail keeps an eye on this as well, and may contact you if suspicious activity is detected.)

4. Don't e-mail sensitive files as attachments. Upload the files you want to share to Google Docs, and use Docs to control access to the files. Ideally you will share the file with a Google Account user. This is the most secure, and is helpful in the event you ever want to stop sharing with that user - you simply remove them from the list of people who can view the file. If that's not an option - the user doesn't have a Google Account, for instance - you can set the document's visibility to 'anyone with the link'. This has some risks - the person you share with can share the link with someone else - but you retain control of the document, which means you can delete it, or update the security settings to require login to view... either of which is much more secure than files you e-mail as attachments, which you lose control of the minute you hit 'send'. And whatever you do, be smart about who you e-mail those files (links or otherwise) to in the first place.

5. Don't send passwords in e-mail. While Gmail uses https to encrypt all traffic between your browser and the Gmail server, there's no guarantee that the recipients of your e-mails containing passwords are similarly secure.

If you've hit this point and you're wondering whether there's even more you could read (!), swing by the 2010 and 2009 tips and tricks that Google compiled for National Cyber Security Awareness Month, and this page has some additional tips for keeping your info secure.

Any other tips for keeping your account secure?


  1. Wow. You're like a Google Security God. I know I get bonus points for being lazy...truth is, it's definitely more work to be diligent with our accounts...but I'd rather die than be hacked. I'm passing it along to my peeps. Thanks, rock.

  2. excellent article!!

  3. As a matter of fact -- let people remember a upper/lowercase password, 6 chars minimum, with numbers and special chars in it, and for each application you use, add that behind it:


    Something like that.

  4. "Application specific passwords" unfortunately still provide full access to all google applications with that password - once someone has one of your app-specific passwords, they can access all your data anyway.

    When's google going to have a solution against that? Why should my jabber client be able to view my Gmail? Why should my google reader aggregator client be able to view my calendar?

  5. Best practice #2, "NEVER manually type your Google account information (username/password) into a webpage that is not owned/provided by Google," also applies to 3rd party developed Android/iPhone apps.

  6. Google Could provides users the possibility to generate one-Time password with authenticator. This would be usefull for people that access to google account from public pc! Why we have to' use our REAL password, thus in combinatiom with verification-code??

  7. I've always liked the"pick a song" approach for generating tough passwords. You start by picking a song that you know the words to, and then use the first letter of the each word lyric to build your base password.

    For example: Suppose I love the song "Strawberry Fields Forever" by the Beatles. My first password would be: lmtydcigt ("Let me take you down, Cause I'm Goin To..."). It's super easy to remember, since you just "sing" the phrase in your head as you type, yet it seems very random to outsiders.

    If you want to be super secure, set up a monthly calendar reminder to change it. Changing is easy, just move to the next verse in the song.

  8. Great advice! I use most of your suggestions. It always pays to be on your guard. Any suggestions for Facebook? Have a friend who always gets her account hacked!

  9. Didnt have a clue tighter security for gmail existed but iv just spent 10 mins setting this up. Always thought un/pw was vulnerable. Thank you!

  10. Problem with using google to login to different services is that you create single point of failure. Therefore if a cracker gets your google credencials he can compromise other accounts/services.

  11. Thanks everyone for the feedback - glad to hear this was helpful!

    @Adam - the whole point of the two step verification is to eliminate the risk of a single point of failure. Without the second step (in this case, your mobile phone, which itself should be secured), even your username and password would be useless to anyone else.