Security can be a scary issue for small business owners.
With the news being filled with stories about email accounts being hacked, like the
recent coverage about thousands of Yahoo accounts getting hacked (including some from Gmail), you may wonder if your own accounts are safe.
Small businesses are especially vulnerable to hacking because they can’t pay for expensive in-house security monitoring. Plus, they often rely on their email to negotiate important business deals. So, there could be real financial loss if your information becomes compromised.
While there are no guarantees, there are some steps you can take in Gmail to protect your information. In this tutorial, I explore basic security best practices that anyone can use on any account to make it more secure. I’ll also provide step-by-step details to show you how to increase your security in Gmail.
Basic Email Password and Online Security Steps
Some of the best methods to protect your Gmail information also apply to other areas of your online presence. Following these methods reduces your chances of being hacked no matter which application you use.
To learn more about online security, study our tutorial:
In this section I'll cover some of the most important basic security best practices that also apply to email. Those practices include:
- Picking a strong password
- Storing your passwords securely
- Changing your password
- Using authentication
- Keeping your browser updated
Disclaimer: I am not an information securities expert. This post is based on a compilation of recommended best practices and my own experiences as a Gmail user.
Let's take a look at each best practices separately.
1. How to Pick a Strong Gmail Password
Many small business owners struggle with choosing a password. You want a password that you will remember but that a hacker won't be able to figure out.
Step 1. Avoid Obvious Passwords for Gmail
The trouble is, some of the easiest passwords to remember are also some of the least secure. Try to avoid using passwords that are also:
- Your partner's name
- Your child's name
- Your pet's name
- Your address
While these types of passwords are easy to remember, the information is also fairly simple for a hacker to find out. In some cases, such as your address information, it may even be public record. If a hacker manages to get into your social media account, they can probably also learn the names of those close to you.
Passwords that others commonly use are also bad choices. They are among the first that a hacker would try to gain access to your account with. One security organization, Splashdata, actually keeps a list of some of the worst passwords that people use by year. Their latest list includes commonly used passwords such as:
Some of these are the default passwords that many systems come with. If you recognize your password on one of their lists, change it immediately.
Step 2. Choose a Longer, Random Email Password
The best passwords are random and contain various types of characters. For example, a password that contains upper and lowercase letters, numbers, and symbols is harder to hack than a password of all letters or numbers.
Also, the longer the password, the harder it is to hack. Passwords should be at least eight characters long. Some experts recommend using twelve or more characters.
Avoid stand-alone online password generators since the site may be trying to harvest passwords. A password generator included in a reputable security tool is probably safe though.
Once you find a good password, you may be tempted to use it for all your accounts. Don't do it. If your password becomes compromised, then the hacker potentially has access to your entire online presence.
To learn more about choosing good passwords, review this tutorial:
Some of the characteristics that make your password hard to guess, also make it harder to remember. That's why it's important to come up with a secure way to store your passwords.
2. How to Store Your Gmail Passwords Securely
Having a secure Gmail password is no good if hackers can easily find it. Whenever possible, avoid:
- Using Your Email Password on a Public PC. If you do use your password on a public device, clear the cache and memory afterwards. You may also wish to change your password.
- Keeping Your Password on Your Person. Writing your passwords on a slip of paper and keeping it in your wallet can be a problem if your wallet is lost or stolen.
- Storing Your Password in an Unprotected Document. It's common for users to create Word or Excel password lists. This is not a secure practice. The trouble is, anyone who accesses your machine can open these documents.
Using a reliable password manager can be a safer option to help you keep track of all those passwords. Password managers use encryption and other means to keep your data safe. Here are tutorials on two popular password manager utilities:
- 1PasswordUsing 1Password to Keep Passwords Secure on iOSHarry Guinness
- SecurityThe Tuts+ Guide to KeePassMladen Jevtić
3. How Often Should You Change Your Gmail Password?
The topic of how often to change your password is controversial. Many security-minded businesses and some applications require regular password changes.
While the motivation behind regular password changes is good, some studies have shown that they are less than effective. That's because the majority of users don't create totally new passwords when they change their password. Instead, they simply change their current password by adding or changing a character. This article from Lorrie Cranor writing for the Federal Trade Commission goes into depth about the problems with frequent password changes.
Experts suggest that choosing a strong password is a better security tactic than frequent password changes. It's important to select a strong password to begin with.
4. How to Use Authentication
In an attempt to increase user security many applications have gone beyond passwords to authenticate the user. Here are some common methods that applications use to verify the user's identity:
- Security Questions - Security questions are probably one of oldest forms of user authentication. They are often used for password recovery. The inherent problem with security questions is that they often ask for information that could be readily available through social media such as your pet's name or the name of your high school.
- Phone Codes - A newer authentication technique is to require the user to enter a randomly generated code that is sent to their phone when they log in. The code is different each time. The drawback to this, of course, is that the user must keep their phone with them to access their account. This can be inconvenient for some users.
- Hardware - This involves a physical device that must be plugged into your computer to allow for authentication. YubiKey for LastPass is a good example of a usb device that adds an extra login access step.
- Biometrics - Biometric identification replaces passwords with unique physical characteristics such as fingerprint scans, retinal scans, and voice recognition. While this form of identification is experimental, its use is becoming increasingly common. Consider the iPhone's Touch ID feature. Some experts believe biometric identification will replace passwords in the near future.
A common term that you might hear is two-factor authentication. This means that the user must enter a password and provide some other type of identification to access their account.
Gmail allows you to turn on two-factor authentication to add an extra layer of security to your account. With Google, the two-factor authentication is a phone code. We'll provide more information on how to do that later in this tutorial.
5. Why Browser Updates Are Important
You may think of browser and software updates in terms of added features, and you'd be partially right. But many updates also contain crucial security features that protect your system from viruses, malware, and even hackers.
That's why you should install updates as soon as they become available. Always make sure that you download your updates from a reputable source—usually the maker of your software or browser.
Now that we've increased your awareness of general security best practices, it's time to move on to Gmail specific security practices.
Gmail Security Best Practices
There are some specific steps you can take in Gmail to make your account more secure. In this section I'll provide step-by-step instructions on:
- How to Change Your Gmail Password
- How to Check Your Security Settings
- How to Set Up 2-Step Verification
- How to Set Up Recovery Options for a Lost Password
Note: All Google tools use the same password and security settings. Changing your Gmail password or security settings may also change your password and settings for other Google apps you may have and for Google+.
Let's get started. We'll discuss each step separately.
How to Change Your Gmail Password
Start from the main Gmail inbox screen:
Click the arrow next to the Settings icon on the upper right corner to display the drop-down menu:
Click the Settings option to display the Settings screen:
From the menu across the top of the screen, select the Accounts and Import option. You will notice that the options on the Settings screen change:
Under the Change account settings category, select the Change password option. You'll be prompted to re-enter your existing password:
Type in your current password. Click the Sign in button. The Change Password screen appears:
Type a new password below the New password field. Pay particular attention to your password
strength. Type the new password again in the Confirm new password field.
The passwords must be identical. Click the Change Password button when you are done. You'll receive a brief prompt that your password was changed. The Sign-in & security screen displays, where you can make other security changes:
2. How to Check Your Security Settings
If you've just changed your password, you are already at the Sign-in & security screen. Go to step 3 below.
If you are not at the Sign-in & security screen, click on your photo in the upper right of the main Gmail interface. A pop-up displays showing your Google account information:
Click the My Account button. The My Account screen appears:
Click the Sign-in & security option. The Sign-in & security screen displays:
This is the screen you use to check your current security settings. Use the scroll bar on the right of the screen to move down through your settings.
You will notice there are three categories covered on this screen:
- Signing in to Google
- Device activity & notification
- Connected apps and sites
Your current status in each of these areas displays on the screen. Review the status of each field in each category carefully.
Make changes to your security settings from this screen by clicking the arrow to the right of each field. You may be prompted to enter your password before you can make the change.
Now let's take a closer look at one of the fields: 2-Step Verification
3. How to Set Up 2-Step Verification
It's good to turn on 2-Step Verification if you haven't already done it. It adds an extra layer of protection to your log in process. In this case, the extra layer is a phone code.
Each time you log in to a Google account you will receive a unique code by phone. You will need to enter that code before you can access your account. Let's get started.
Start at the Sign-in & security screen.
Scroll down to find the 2-Step Verification field under Password & Sign-in Method.
Click the arrow to the right of the 2-Step Verification field. The informative 2-Step Verification screen displays with some information about the importance of 2-step verification:
Click the Get Started button. You will be prompted to enter your password. After you type your password, the 2-Step Verification window appears with two questions:
Answer the questions. Type the phone number where you want
to receive verification codes. Select whether you want to get the codes by text
message or phone call.
When you have answered the questions, click the Try It button. Google immediately sends a code to your phone. You are prompted to enter the code into the screen to continue:
Type the code you received. Click Next in the lower right corner of the window.
If you successfully entered the code, you are prompted to turn on 2-step verification. Click Turn On in the lower right corner your screen to turn it on. You are prompted to enter your password again. Type your password and click Sign in.
Another screen displays asking you to verify your decision to turn 2-step verification on:
Click the Turn On
button in the upper right of the screen. Two step verification is turned on.
The Sign-in & security screen is
updated to reflect that it is on.
4. How to Set Up Recovery Options for a Lost Password
You can change your settings so that there are two ways to recover a lost password. I'll go over both methods.
Start from the Sign-in & security screen:
Use the scroll bar on the right side of the screen to scroll down to the Account recovery options.
There are two account recovery options:
You can set up both a recovery email and a phone from this screen. Let's start by setting up a recovery email.
Click the arrow to the right of the Recovery email field. You are prompted to enter your password. Type your password and click Sign in.
Since we set up 2-step verification earlier, the system sends you a verification code. Enter the verification code you were sent and click Done.
You are prompted to enter your recovery email:
Type your recovery email address. Click the Done button in the lower right of the prompt.
Your recovery email is set. The system returns to the Sign-in & security screen.
Now it is time to set up your recovery phone. Scroll down to the Account recovery options.
Click the arrow on the right of the Recovery phone field.
You are prompted to enter your password. Type it in and click Sign In.
You are prompted to enter your recovery phone:
Click Add recovery phone. If you have entered a phone number in your account in the past, you can select it from the next prompt. Or, type in a new phone number on the following screen:
If you are entering a new phone number, click Verify when you are done. Follow the
prompts to verify your new number.
Your recovery phone is set. The system returns to the Sign-in & security screen.
While there are no guarantees, but there are steps you can take to reduce the likelihood that your Gmail account getting hacked.
- Understand and follow web security best practices.
- Understand and use Gmail specific security measures.
Above all, remember that computer security measures change often. Don’t forget to keep your Gmail account’s security up to date.