Following on from our detailed guide to securing your webmail, here’s a quick breakdown of how to make the most important fixes, for users of Google’s Gmail.
Controls affecting Gmail security are mostly found at www.google.com/settings, or can be reached by clicking the user ID in the top right of any Gmail page and selecting “Account”. (The user ID will usually be a photo or avatar, but it may just be your Gmail address if you do not have an associated Google+ account.)
1. Protect your password
Of course, start by making sure your password is well chosen and not shared.
If you need to change it, visit the Account Settings page as above and click the “Security” tab. You’ll find the password settings at the top of the list.
Make sure the reset and recovery options are safe too – in the same tab, look at the “Recovery & Alerts” section. If you’ve already provided Google with a phone number and/or alternate email address, they’ll be listed here.
Make sure they’re correct, and think about whether other people may be able to get at them – if they can, they could reset your password and break into your account.
If there are no details here, you may want to think about adding some sort of recovery option in case you forget your password. These contact details are also used to send alerts when Google detects suspicious activity on your account, and the type of alerts sent can be adjusted using the “Edit” button.
Older accounts may still have a “Security question” set up, however this method of recovering an account is no longer supported so can be ignored.
If you need help picking a good password then our video should help:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
2. Set up 2-step verification
Google’s version of two-factor authentication, referred to as 2-step verification (2SV), can also be accessed from the Security tab on the Account Settings page.
You’ll find it just underneath the “Change password” option.
To set it up, you’ll need to provide a phone number, which will be verified with an initial code sent via SMS or as an automated voice message. Click “Setup” in this section, then follow the instructions.
Note that in some regions this option is not available – possible workarounds include using one of the many services which provide free internet SMS to get the initial setup done, then switching to the Authenticator app.
Google’s app supports most phone platforms, and is useful for securing a raft of other services too. You can switch to this once the initial setup is complete, or you can stick to SMS or voice to send codes.
Once you have logged in on a given machine for the first time, Google will offer to “trust” that machine, meaning no more codes will be required – the box is checked by default, so if you log in from an untrusted system, make sure you uncheck it.
For mail client apps and other services that don’t support secondary codes, you can generate a device-specific password which replaces your standard password when logging in – see the second tab in the 2SV options page.
You can also provide a backup phone number, or generate a list of one-off emergency codes, to use in case of a problem with your main method of generating codes – as usual, make sure these are secure.
Google has also recently introduced its Security Key which can be plugged into your USB port and used instead of SMS or an authenticator app as your second factor of 2SV. Google’s part of it is free, but you do have to pay for a compatible device. You’re also restricted to Chrome when using it.
3. Check your settings
At the bottom of every page is a record of the “Last account activity“, showing when you last logged on.
Click on “Details” to see the last ten logins, the IP address they originated from, and a guess at the country based on that IP address, which should be accurate in most cases.
It will also show whether the access was from a browser or mobile device. For many access types you can even burrow down into each entry to find info like the browser and OS version, or mobile device type. You can also find a more detailed version of the history, complete with more precise (but still estimated) location data, on the Account Settings page under “Recent activity”.
Consider checking these from time to time to look out for access from unexpected locations, and certainly look here first if you suspect someone’s been intruding into your account.
If you think anyone may have had access to your account for any period of time, it’s worth checking whether any delegation has been set up. On the main Gmail page, click the gear icon and choose “Settings”.
Go to the “Accounts and import” tab and look at the “Grant access to your account” section.
If there are any other accounts here that you haven’t added, those accounts could have had unfettered access to all your mail and contacts – a sneaky intruder may also have checked the “Leave conversation unread…” box, so you wouldn’t be able to tell if they’d read something. Reset any unwanted changes here as soon as you spot them.
Another place to look is on the “Filters” and “Forwarding and POP/IMAP” tabs to check no-one’s set up any rules to forward mail to a third-party address. This is less intrusive than delegated access, but can still leak a lot of stuff to someone who shouldn’t have it.
Back on the main Account Settings page (that which is reached by clicking the user ID in the top right of any Gmail page and selecting “Account”) is the “Account permissions” section. You’ll find it just under the Password options.
This lists all websites and apps which have been granted access to your Google account – these might include things like mail client apps on mobile devices, or Google’s own Chrome or Drive services.
Some information should be given on what each entry means – look out for things you don’t need or recognise.
Finally, it’s worth looking through the list of devices trusted by the 2SV system, just to make sure any old devices are no longer exempt – look under “Registered computers” in the 2SV settings for details.
Once you’ve made your Gmail account a bit safer, check to make sure you’re following the rest of the advice in our guide to securing your webmail.