Keeping gmail accounts (and life) secure
December 22, 2023 5:01 AM Subscribe
One of my gmail accounts is basically the key to my entire life. If I were to lose access for any reason, or if it were to be taken over by someone else, it would be a disaster. What should I do to keep it (and my life generally) more secure?
One of my gmail addresses is where emailed 2-factor authorisations go, where all my correspondence for my freelance work is conducted, it's my main account recovery address, the email address used for banking, my Apple ID, it's registered on apps everywhere, it's where my Google Maps pins are saved, etc etc. Basically everything important is linked to this account in some way, whether directly or indirectly.
Recently I lost access to my Instagram account for no reason that I can tell (apparently it violated some code of conduct which is weird since I hadn't logged in for months so perhaps it was hacked or something). This wasn't much of a hardship but it did make me realise that if something similar were to happen to my gmail account, it would be disastrous.
Questions:
- What are current best practices to keep an account secure and prevent it from being suspended for any reason? (besides the obvious, like 2-factor authorisation, strong unique passwords, not logging in on insecure devices or networks)
- What are the ways I should reduce reliance on a specific email account? (eg: 'use a separate email address for each bank', 'use so-and-so process for account recovery', etc)
- I have other accounts that I use for web purchases/subscriptions/registrations: any best practices on how these should be firewalled to prevent financial mishaps would also be welcome
- Any other issues I should consider?
Factors to bear in mind:
- I know the issues with Google, gmail and free products in general, there is no need to retread them. I will factor them in myself
- I am willing to pay for good solutions, within reason
- I would prefer to avoid voice or text solutions that need a functioning phone number as I travel a lot and don't use roaming. I can receive text messages, but it can often be a hassle, involving swapping SIM cards, waiting to catch a roaming network, etc. My phone provider does not allow checking SMS online and Google Voice is not an option as I am not in the US.
- Personally, I would like to balance convenience and security, meaning if something is super inconvenient and makes only an incremental difference in security then I probably won't use it.
One of my gmail addresses is where emailed 2-factor authorisations go, where all my correspondence for my freelance work is conducted, it's my main account recovery address, the email address used for banking, my Apple ID, it's registered on apps everywhere, it's where my Google Maps pins are saved, etc etc. Basically everything important is linked to this account in some way, whether directly or indirectly.
Recently I lost access to my Instagram account for no reason that I can tell (apparently it violated some code of conduct which is weird since I hadn't logged in for months so perhaps it was hacked or something). This wasn't much of a hardship but it did make me realise that if something similar were to happen to my gmail account, it would be disastrous.
Questions:
- What are current best practices to keep an account secure and prevent it from being suspended for any reason? (besides the obvious, like 2-factor authorisation, strong unique passwords, not logging in on insecure devices or networks)
- What are the ways I should reduce reliance on a specific email account? (eg: 'use a separate email address for each bank', 'use so-and-so process for account recovery', etc)
- I have other accounts that I use for web purchases/subscriptions/registrations: any best practices on how these should be firewalled to prevent financial mishaps would also be welcome
- Any other issues I should consider?
Factors to bear in mind:
- I know the issues with Google, gmail and free products in general, there is no need to retread them. I will factor them in myself
- I am willing to pay for good solutions, within reason
- I would prefer to avoid voice or text solutions that need a functioning phone number as I travel a lot and don't use roaming. I can receive text messages, but it can often be a hassle, involving swapping SIM cards, waiting to catch a roaming network, etc. My phone provider does not allow checking SMS online and Google Voice is not an option as I am not in the US.
- Personally, I would like to balance convenience and security, meaning if something is super inconvenient and makes only an incremental difference in security then I probably won't use it.
Aside from doing what you can to stop your account getting suspended or taken over, here are 3 things worth doing to make sure that if that happens, you're affected less:
1 - Make sure you've got emergency codes stored offline for any accounts that use your Gmail for 2FA
2 - Use Google's "download your data" facility to take a backup of everything every x months (I do this once a year but I know people who take a fresh back up every month)
3 - Set up a new Gmail account, then set up an autoforward on your original account to send a copy of all your mail to the new account. Use Apple Mail, Thunderbird or another free mail client to download all mail daily from that account using POP so that the mail is deleted from the new Gmail account automatically.
1 and 2 help you keep living your life without losing access and data if your account is suspended, 3 helps if your account gets taken over (until the attacker finds the autoforward and turns it off, at least) or if Gmail is down and you want an easy to access/search offline copy of your email.
Seconding paying for the premium Google account because paying customers get MUCH better support and help if there is a problem with your account.
posted by underclocked at 7:10 AM on December 22, 2023 [9 favorites]
1 - Make sure you've got emergency codes stored offline for any accounts that use your Gmail for 2FA
2 - Use Google's "download your data" facility to take a backup of everything every x months (I do this once a year but I know people who take a fresh back up every month)
3 - Set up a new Gmail account, then set up an autoforward on your original account to send a copy of all your mail to the new account. Use Apple Mail, Thunderbird or another free mail client to download all mail daily from that account using POP so that the mail is deleted from the new Gmail account automatically.
1 and 2 help you keep living your life without losing access and data if your account is suspended, 3 helps if your account gets taken over (until the attacker finds the autoforward and turns it off, at least) or if Gmail is down and you want an easy to access/search offline copy of your email.
Seconding paying for the premium Google account because paying customers get MUCH better support and help if there is a problem with your account.
posted by underclocked at 7:10 AM on December 22, 2023 [9 favorites]
I would like to balance convenience and security
Security is 'worthwhile inconvenience', sure.
You might add a few physical devices under the PassKey program, carry one with you when traveling and have the backups securely locked away at home. They can be number generators, USB devices plugged in to your laptop, or an app tied to a laptop or phone you have. Without it, nobody can impersonate you, and with it, someone still needs a strong password.
posted by k3ninho at 8:00 AM on December 22, 2023
Security is 'worthwhile inconvenience', sure.
You might add a few physical devices under the PassKey program, carry one with you when traveling and have the backups securely locked away at home. They can be number generators, USB devices plugged in to your laptop, or an app tied to a laptop or phone you have. Without it, nobody can impersonate you, and with it, someone still needs a strong password.
posted by k3ninho at 8:00 AM on December 22, 2023
I asked myself the same question and it led me to transition away from Gmail to Fastmail. $4 per month is a small price to pay for email IMHO, and Google is notorious for suddenly banning accounts for inscrutable reasons.
Also, feels good to support a unionized and employee owned company that has been doing email longer than Google.
For now I'm still autoforwarding all my Gmail to Fastmail, so I don't miss anything sent to either address.
posted by splitpeasoup at 8:44 AM on December 22, 2023 [5 favorites]
Also, feels good to support a unionized and employee owned company that has been doing email longer than Google.
For now I'm still autoforwarding all my Gmail to Fastmail, so I don't miss anything sent to either address.
posted by splitpeasoup at 8:44 AM on December 22, 2023 [5 favorites]
If your phone or laptop can be used to access your critical gmail account, then you need to secure them. Make sure your device's storage is encrypted (probably enabled by default on your phone but maybe not on your laptop) and use a strong password or PIN plus biometric (fingerprint/face) ID. Don't enter your PIN in public or hand your phone to any stranger ever (even to get their number in a singles bar, or have them take your picture).
If you use text/SMS as a two-factor authentication method, be aware of SIM swap attacks.
If you want to be very protected against targeted phishing attacks, consider using a hardware token (Yubikey or Google Titan key), and optionally enable Google Advanced Protection for your account. (Note: Advanced Protection will disable other methods of accessing your Google account, so make sure you have also registered a second hardware token, and keep it in a secure place as a backup.) Using a hardware token can be inconvenient in some ways, but it also doesn't depend on phone/SMS access so it might actually be more convenient for you. Unlike other 2FA methods where you type a numeric code, a hardware key can't be tricked into giving credentials to a malicious site.
If you’re considering switching from Google to Fastmail or similar, also consider registering your own domain name (which you can then point at Fastmail’s servers for email hosting). This will let you switch providers in the future without changing your address. It also makes it easier to create many different addresses that all go to the same inbox.
posted by mbrubeck at 9:29 AM on December 22, 2023 [3 favorites]
If you use text/SMS as a two-factor authentication method, be aware of SIM swap attacks.
If you want to be very protected against targeted phishing attacks, consider using a hardware token (Yubikey or Google Titan key), and optionally enable Google Advanced Protection for your account. (Note: Advanced Protection will disable other methods of accessing your Google account, so make sure you have also registered a second hardware token, and keep it in a secure place as a backup.) Using a hardware token can be inconvenient in some ways, but it also doesn't depend on phone/SMS access so it might actually be more convenient for you. Unlike other 2FA methods where you type a numeric code, a hardware key can't be tricked into giving credentials to a malicious site.
If you’re considering switching from Google to Fastmail or similar, also consider registering your own domain name (which you can then point at Fastmail’s servers for email hosting). This will let you switch providers in the future without changing your address. It also makes it easier to create many different addresses that all go to the same inbox.
posted by mbrubeck at 9:29 AM on December 22, 2023 [3 favorites]
MFA that is not a text or call to your cell phone. It is notoriously easy for criminals to social engineer their way into stealing your phone account, and they move so fast that by the time you figure out what happened they’ve already stolen your life.
So: Authenticator or a physical token like yubikey. Print a hard copy of the backup codes and put it in a safe deposit box or other secure location.
posted by qxntpqbbbqxl at 12:43 PM on December 22, 2023 [3 favorites]
So: Authenticator or a physical token like yubikey. Print a hard copy of the backup codes and put it in a safe deposit box or other secure location.
posted by qxntpqbbbqxl at 12:43 PM on December 22, 2023 [3 favorites]
1) Don't forget the physical theft is a also a threat.
Understand the mind of the hacker. Never lend your phone to a stranger even for a minute or two.
https://www.youtube.com/watch?v=gi96HKr2vo8
2) Harmless-looking browser extensions can be quite a dangerous source of password leaks.
3) Adopt an app minimization policy on your PC or phone to reduce the risk of malware.
4) Be aware of the the latest phishing tactics such as highly customized emails specific to your industry, phishing emails from known contacts (hijacked email accounts) and tricks such as QR code phishing.
5) Finally, as you seem really concerned about security, don't let this be your Achilles Heel. Research how hackers can use fake security warnings to trick you into divulging your password.
posted by jacobean at 2:56 PM on December 22, 2023 [1 favorite]
Understand the mind of the hacker. Never lend your phone to a stranger even for a minute or two.
https://www.youtube.com/watch?v=gi96HKr2vo8
2) Harmless-looking browser extensions can be quite a dangerous source of password leaks.
3) Adopt an app minimization policy on your PC or phone to reduce the risk of malware.
4) Be aware of the the latest phishing tactics such as highly customized emails specific to your industry, phishing emails from known contacts (hijacked email accounts) and tricks such as QR code phishing.
5) Finally, as you seem really concerned about security, don't let this be your Achilles Heel. Research how hackers can use fake security warnings to trick you into divulging your password.
posted by jacobean at 2:56 PM on December 22, 2023 [1 favorite]
Backup phone with Authenticator, backup codes, and the Find Device app to secure your phone, should you lose/ break your primary one.
posted by 4th Matryoshka Doll at 4:35 PM on December 22, 2023
posted by 4th Matryoshka Doll at 4:35 PM on December 22, 2023
Making an entire digital life depend critically on an offering from a notoriously indifferent and whim-prone corporation to whom you are not even a customer, merely livestock, is a bigger risk than I'd be happy to take on. Seconding splitpeasoup on migrating Fastmail, which I also use.
My own digital life's potential single point of failure is a credentials database file in KeePass format that I maintain and back up myself. On the desktop I use KeePassXC and the KeePassXC browser extension to work with it, and on mobile I use KeePassDroid. All are open source, none are commercial.
I am religious about making sure that my own credentials database file always contains the authoritative version of all my credentials, even those that I occasionally allow other facilities to remember for me for convenience's sake, and always using the URLs I keep inside that database to get access to sites' login screens.
posted by flabdablet at 8:48 PM on December 22, 2023 [2 favorites]
My own digital life's potential single point of failure is a credentials database file in KeePass format that I maintain and back up myself. On the desktop I use KeePassXC and the KeePassXC browser extension to work with it, and on mobile I use KeePassDroid. All are open source, none are commercial.
I am religious about making sure that my own credentials database file always contains the authoritative version of all my credentials, even those that I occasionally allow other facilities to remember for me for convenience's sake, and always using the URLs I keep inside that database to get access to sites' login screens.
posted by flabdablet at 8:48 PM on December 22, 2023 [2 favorites]
You are not logged in, either login or create an account to post comments
Well turns out if I ever fuck my account up in some way, they already have my ID verified so getting my account unlocked and restored to me (should be) a breeze. Considering how much of my life routes through google, it's probably worth the paid account support peace of mind alone, never mind the storage.
posted by phunniemee at 5:17 AM on December 22, 2023 [6 favorites]