Sophos Cloud Optix
Following on from our detailed guide to securing your webmail, here’s a quick breakdown of how to make the most important fixes, for users of Google’s Gmail.
Controls affecting Gmail security are mostly found at www.google.com/settings, or can be reached by clicking the user ID in the top right of any Gmail page and selecting “Account”. (The user ID will usually be a photo or avatar, but it may just be your Gmail address if you do not have an associated Google+ account.)
1. Protect your password
Of course, start by making sure your password is well chosen and not shared.
If you need to change it, visit the Account Settings page as above and click the “Security” tab. You’ll find the password settings at the top of the list.
Make sure the reset and recovery options are safe too – in the same tab, look at the “Recovery & Alerts” section. If you’ve already provided Google with a phone number and/or alternate email address, they’ll be listed here.
Make sure they’re correct, and think about whether other people may be able to get at them – if they can, they could reset your password and break into your account.
If there are no details here, you may want to think about adding some sort of recovery option in case you forget your password. These contact details are also used to send alerts when Google detects suspicious activity on your account, and the type of alerts sent can be adjusted using the “Edit” button.
Older accounts may still have a “Security question” set up, however this method of recovering an account is no longer supported so can be ignored.
If you need help picking a good password then our video should help:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
2. Set up 2-step verification
Google’s version of two-factor authentication, referred to as 2-step verification (2SV), can also be accessed from the Security tab on the Account Settings page.
You’ll find it just underneath the “Change password” option.
To set it up, you’ll need to provide a phone number, which will be verified with an initial code sent via SMS or as an automated voice message. Click “Setup” in this section, then follow the instructions.
Note that in some regions this option is not available – possible workarounds include using one of the many services which provide free internet SMS to get the initial setup done, then switching to the Authenticator app.
Google’s app supports most phone platforms, and is useful for securing a raft of other services too. You can switch to this once the initial setup is complete, or you can stick to SMS or voice to send codes.
Once you have logged in on a given machine for the first time, Google will offer to “trust” that machine, meaning no more codes will be required – the box is checked by default, so if you log in from an untrusted system, make sure you uncheck it.
For mail client apps and other services that don’t support secondary codes, you can generate a device-specific password which replaces your standard password when logging in – see the second tab in the 2SV options page.
You can also provide a backup phone number, or generate a list of one-off emergency codes, to use in case of a problem with your main method of generating codes – as usual, make sure these are secure.
Google has also recently introduced its Security Key which can be plugged into your USB port and used instead of SMS or an authenticator app as your second factor of 2SV. Google’s part of it is free, but you do have to pay for a compatible device. You’re also restricted to Chrome when using it.
3. Check your settings
At the bottom of every page is a record of the “Last account activity“, showing when you last logged on.
Click on “Details” to see the last ten logins, the IP address they originated from, and a guess at the country based on that IP address, which should be accurate in most cases.
It will also show whether the access was from a browser or mobile device. For many access types you can even burrow down into each entry to find info like the browser and OS version, or mobile device type. You can also find a more detailed version of the history, complete with more precise (but still estimated) location data, on the Account Settings page under “Recent activity”.
Consider checking these from time to time to look out for access from unexpected locations, and certainly look here first if you suspect someone’s been intruding into your account.
If you think anyone may have had access to your account for any period of time, it’s worth checking whether any delegation has been set up. On the main Gmail page, click the gear icon and choose “Settings”.
Go to the “Accounts and import” tab and look at the “Grant access to your account” section.
If there are any other accounts here that you haven’t added, those accounts could have had unfettered access to all your mail and contacts – a sneaky intruder may also have checked the “Leave conversation unread…” box, so you wouldn’t be able to tell if they’d read something. Reset any unwanted changes here as soon as you spot them.
Another place to look is on the “Filters” and “Forwarding and POP/IMAP” tabs to check no-one’s set up any rules to forward mail to a third-party address. This is less intrusive than delegated access, but can still leak a lot of stuff to someone who shouldn’t have it.
Back on the main Account Settings page (that which is reached by clicking the user ID in the top right of any Gmail page and selecting “Account”) is the “Account permissions” section. You’ll find it just under the Password options.
This lists all websites and apps which have been granted access to your Google account – these might include things like mail client apps on mobile devices, or Google’s own Chrome or Drive services.
Some information should be given on what each entry means – look out for things you don’t need or recognise.
Finally, it’s worth looking through the list of devices trusted by the 2SV system, just to make sure any old devices are no longer exempt – look under “Registered computers” in the 2SV settings for details.
Once you’ve made your Gmail account a bit safer, check to make sure you’re following the rest of the advice in our guide to securing your webmail.
The most simple tips are often the best 🙂 ¡Nice posts!
Great advice. However, I wonder if others have had the same thing happen to them as happens to me, relentlessly.
When I log into gmail, I always click the ‘details’ link, and I always find the warning: “This account does not seem to be open in any other location. However, there may be sessions that have not been signed out.” This started happening at least a year ago, and that message was sporadic, half the time it told me that “This account does not seem to be open in any other location.” Now I get the alert message every time.
It’s quite aggravating when one uses two factor authentication and actually does sign out of each session. And yes, of course, I have closed my browser without signing out of gmail on rare occasions, but always sign back into gmail to correct my mistake.
And before anyone asks, yes, I use and regularly update my antivirus software, and run boot-time scans about every 4-6 weeks. Yes, I apply Microsoft updates as first opportunity. Yes, I use very strong passwords, and never use the same password on a second website. I’m well informed and very cautious about computer and internet security.
Should I be irritated at Google for this anomaly? Or could this be a problem with each updated version of Mozilla Firefox over this period of time?
Do you access your gmail from a phone/tablet via the Gmail (or other) app? That can sometimes cause you to get that message.
If you have authorized any access to your account from any other app/device, Gmail knows you have done so, but it can’t always access those apps or devices and see whether they are still signed in or not.
No, I only access gmail and all other log in sites from one computer that stays locked with a password when inactive. Should have mentioned that, but as the next replier noted, I am aggravated.
This issue persists. I follow my log in and log out procedures every time, yet always find a session that has not been logged out of when I log in again. It happens even when I log out and log back in immediately. It is always my IP address that shows up, which leads me to believe it is a glitch in gmail.
You certainly sound irritated.
Thanks for the tip 🙂
I have a gmail account that I let my team use, its not on my domain, just an email account, is there anyway i can secure it so my team cant change the password, so i’m the only one who can controls it?
thanks for the help
Thank you for advice
I don’t understand it. Please explain this again