Sophos Cloud Optix
Following on from our detailed guide to securing your webmail, here’s a quick breakdown of how to make the most important fixes, for users of Yahoo Mail.
(We also have tips on making your Gmail or Outlook.com/Hotmail account safer.)
Controls affecting Yahoo Mail security are mainly found in one central place. Click the gear icon in the top right corner, and select “Account Info“.
Just above this on the same menu are entries for “Privacy” and “Terms”, which you may want to look through to find out what rights you have and what Yahoo may do with the mails you send and receive.
1. Protect your password
First of all, make sure your password is well chosen and not shared. If you need to change it, visit the “Account Info” page as detailed above, scroll down to “Sign-in and Security” and click “Change your password”.
Now check the recovery and reset options – you’ll find “Update password-reset info” just underneath the “Change your password” link.
Here you’ll be able to add phone numbers and alternative email addresses which will be used to verify you if you lose your password or find yourself locked out of your account.
Make sure the information is up to date, and the phones and email accounts supplied are not accessible to people you don’t trust.
You can also add phone or email information for trusted friends or relatives. If you want to add further backups here, make sure the people you choose are reliable and trustworthy, and remember to remove them if you fall out or lose touch.
It’s also good form to check with people before you hand over their details, or at least let them know.
If you need help picking a good password then our video should help:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
2. Set up second sign-in verification
Yahoo refers to its version of two-factor authentication as “second sign-in verification” (2SV). You can enable and configure it by clicking the “Set up your second sign-in verification” link, again in the “Sign-in and Security” section of the “Account Info” page.
Yahoo only supports SMS for sending its 2SV codes, so if you don’t have a mobile phone you’re out of luck.
It could also be a problem when you don’t have phone signal, and may result in carrier charges if you’re travelling. Hopefully Yahoo will add a better range of options soon.
If you haven’t set it up yet, just click “Get started” and provide a phone number; if you’ve already entered one as a recovery number, it will default to that, but you can select a different one if you like.
If you use mail client software such as Outlook or Thunderbird, or mail apps on mobile devices, these can’t usually handle more than one password so you’ll need to generate some app-specific passwords. Use these in place of your regular password when you log in from a client or app.
Once you’ve logged in once from a given device, you won’t need to provide a code again.
A little worryingly, Yahoo appears not to provide any options to monitor or revoke which machines have been trusted in the past, so if you’re using a public or untrusted computer, be sure to clear the browser history when you’re done, and if you’re getting rid of an old phone or computer, wipe it thoroughly.
3. Check your settings
Also in the “Sign-in and Security” section of the “Account Info” page is an option to “View your recent sign-in activity“.
This will show the most recent attempts to log in to your account and other significant events, marked with a date and time, some information on the event, the type of device used, and a location, which can be shown either as an IP address or a best-guess at the country, based on the IP address.
You should check in here any time you think someone may have accessed your account without permission, and it’s worth having a look from time to time anyway, just in case.
It’s also a good idea to check the options for “Delete other accounts used to sign in” and “Manage apps and website connections“, both in the “Sign-in and Security” section.
These will show any other accounts, sites or apps which have permission to log in to your account, potentially seeing your contacts and other information, as well as the content of mails.
Look out for any unexpected entries. If you’ve granted access to anything other than your main login ID, consider whether you really need that account or site to have access to your mail.
Finally, there’s an entry marked “Change sign-in settings“, where you can change the automatic time-out for logins.
The only options here are four weeks or one day, so most people will stick to four weeks to avoid repeated demands for passwords.
If you’re planning on travelling and using public computers, it might be wise to set it to one day in case you forget to fully clear the browser history.
Once you’re done with making your Yahoo Mail account safer, make sure you are following our general advice in our guide to securing your webmail.
In reference to Yahoo! mail, John Hawes wrote “First of all, make sure your password is well chosen and not shared.”
You’re kidding, John! Right?
More than half of us USA Yahoo! customers receive either mobile phone service, residential land line phone service, or broadband (possibly including VoIP) service from AT&T. AT&T (really SBC) hands its account password management over to Yahoo! A common password is enforced. You change one–the other changes too. There’s no way to avoid sharing passwords.
In the old days I would have said they are using a common Radius server. It’s probably different technology these days, but to the same end. We have to hope the server isn’t compromised.
very useful information and help thank you very much frequent knowledge
life is good