Improving your account security

Every year or so, it’s worthwhile doing an audit of your online security. The most important accounts to protect are your bank accounts and your email accounts. Here are some things to consider doing:

– Choose strong passwords. Just as important: don’t re-use the same password across web services. Consider using a password manager like LastPass or 1Password to generate strong, secure passwords and keep them safe.

– Add two-factor authentication to your important accounts. Certainly your Gmail account, but also your Twitter account, domain registrar, etc.

– Put a PIN or unlock code on whichever phone has Google Authenticator or would receive two-factor SMS texts. Consider enrolling your phone in Find my iPhone or Android Device Manager.

– Let’s get specific on your Gmail/Google account now. Click into your account’s security settings. For Google, print out backup codes for your 2-step verification and put them somewhere safe. Add a recovery email account and phone number to your account. Check to make sure that everything looks locked down tight, e.g. no app passwords that you don’t remember.

– Make sure you put a PIN on your phone number or cell phone voicemail. Why? If Google or another service leaves a recovery code in your voicemail, you don’t want hackers to access your voicemail easily by spoofing caller ID.

– In Gmail, check for any unexplained filters or forwarding rules where a hacker could be forwarding your email to a different email address.

Advanced techniques

If you’re a CEO, high-profile individual, or at much greater risk of being hacked, consider these additional steps:
– If you already enabled two-factor authentication, consider getting a Security Key. Why? Because a Security Key should stop almost all phishing, even extremely targeted “spearfishing.” Security Keys are still new, but the protection they provide against phishing is extremely good.

– You might actually want to remove your phone number from Google or other account recovery systems. Why? Humans and customer service are usually the weakest link in a security system. Hackers may use social engineering to convince your cell phone provider to add a forwarding number, then attempt to hack your account by sending a recovery code to your phone number and listening on new/additional number.

To be clear, the vast majority of users will be more protected by adding a recovery phone number to their account. I would only remove the recovery phone number if 1) you are tech-savvy and 2) you believe that someone is likely to attempt to hack or stalk you.

Those are my major tips. What am I forgetting, or what advice would you give to protect your online accounts?

21 Responses to Improving your account security (Leave a comment)

  1. Use a password manager, that way you don’t have to remember multiple strong passwords. 1Password and LastPass seem to be the market leaders and they both seem good to me. That way, you need to remember 2 strong passwords: The one for your computer and the one for your password manager.

    • Good point. I’ll add that to the main article–thanks!

      • And for those that are paranoid about using an online service for passwords, KeePass is as good (or better) than both of these solutions in almost every aspect. Since it is a program and not a service you don’t get the “website checking” pieces the others provide, but I gladly sacrifice that (available through many other browser extensions) for having complete control over my vault. And I’m still able to take advantage of accessing it on my mobile devices – and knowing that it’s always encrypted in toto in addition to whatever transmission encryption I’m using.

  2. Great tips. Definitely worth reviewing again. One I would add to the list that if you do use a recovery phone number, call your cellular provider and set up a voice password on the account. That way, if someone calls regarding your account, They can’t proceed without the voice password and thus can’t change your forwarding settings. There is still room for human error here but it’s another line of defense.

    • Ashraf, I agree with you about that. On the other hand, I’ve seen some articles that say that that attackers can still sometimes get by that (not every customer service agent is savvy about those passcodes). Likewise, you’d still be vulnerable to someone who had a friend working for that phone company.

      In most cases, adding a recovery phone number will make you more secure. However, listing a phone number does increase your potential attack surface as well. So if you are super-concerned about security and know exactly what you’re doing, that might be the reason to not list a recovery phone number.

  3. dont ignore security on your website either. Use a reputable hosting company and at the least a unique password that consists of at least 10 letters, numbers and symbols. In addition use captcha to prevent spam and further secure your login. Also back up your site regularly and use an on site security system such as word fence for WordPress.

  4. Smartphone is still not protected enough. Because of frequent use, strong password is out of question on such device whilst pattern/pin are not good enough.

    We need second factor solution (e.g. watch or another gadget to keep on you). Because of air gap between smartphone and this device there always be a risk of signal interception, so signals should be encrypted, frequently updated and unique for particular time slot.

  5. I just thought about using a security key and i am “guilty” of using a small black moleskine full with passwords. Thank you.

  6. Last Pass changed my life. The random password generator feature alone is a godsend.

  7. One thing is missing… one must write down all the account security related information like date of account creation, frequent contacts, labels, (and other things that they may forget). Because Google ask those details when someone try to reset password using the “account recovery form”.

  8. 1. Don’t click on emails asking for your username and password
    2. Check the URL of the login page.
    3. Check if it’s got the https:// in front of the URL and with the padlock on the left.

  9. Very important: each time when you login to Gmail via web browser, scroll down and look in the bottom-right corner, where it says: “Last account activity”. You can see when your account was logged in last time and if you click on “Details’ you can even see the IP and the location. Very useful.

  10. How do you feel about pwsafe or 1pass? I find my passwords to be stranger and all different if I use a password safe. Thanks.

  11. For the more paranoid and sensitive positions, don’t use a desktop/phone mail client that caches messages locally, especially if you are crossing borders. Physical access to your devices will almost guarantee access to their content.

    Consider encrypting your hard drive. Also consider a more robust password than the default 4 digit pin.

    Note, as well, that biometric security actually is less secure in the event law enforcement is involved, since the Supreme Court ruled you can’t be forced to surrender a password but other courts have ruled that you can be forced to give your finger (print) to unlock a device.

  12. Hi Matt,

    Thx for putting this up.

    Have been using Roboform for long time to keep my long list of passwords safe. In the position ur in, I hope u have some unbiased opinion or idea of how much secure this service is.

    With phone verification I thought I was absolutely safe with Gmail, now with this new information I guess there is nowhere to hide lol.

    Thx again.

  13. Valuable information Matt. I handle my account on daily basis, but still i was unknown to this fact that obviously hackers can use my phone number to recover the password. I thought that doing this protection level becomes strong but i was wrong. For an account it becomes a compulsion as well. I think, security questions and answers is a nice way to secure our account. Thanks Matt for sharing some good information, this was so necessary to know.

  14. Valuable information Matt. I handle my account on daily basis, but still i was unknown to this fact that obviously hackers can use my phone number to recover the password. I thought that doing this protection level becomes strong but i was wrong. For an account it becomes a compulsion as well. I think, security questions and answers is a nice way to secure our account. Thanks Matt for sharing some good information, this was so necessary to be implemented.

  15. We need second factor solution (e.g. watch or another gadget to keep on you). Because of air gap between smartphone and this device there always be a risk of signal interception, so signals should be encrypted, frequently updated and unique for particular time slot.

  16. Matt, I used a second Gmail account just for recovery purposes on various accounts. That way if my primary account was hacked someone couldn’t use that account to reset passwords on other accounts.

  17. You need a method of generating random strong passwords. I use the generator in a password vault to make the ones I use on web sites, but those don’t work on systems where I have to remember the pasword and type it in (like the password vault, or workstation login), and I have 6-7 of those. Murray and I have been working out that for a couple years now and have settled on using a diceware system with a pad of numbers and special character. Diceware alone is sufficient as far as security goes, but those passwords won’t be accepted on most system. Four random words and a pad generate 80-100 bits of entropy.

    I use two password vaults, one for daily work and puttering about the internet, and one for my financial and other personal data. I use random answers to security questions, keep those and one-use two factor keys outside the vaults in an encrypted space.

    Lastly, I recommend keeping a file with all of your password in clear text in your safety deposit box, or get a close friend to encrypt a key and put your passwords on that. That way if something happens to you, your family can get at your stuff.

  18. If you like use the same, preferred password for many locations and you maintain a list, visually encrypt the passwords for an additional layer of protection. Eg Myfavepa$$word12 would be shown as M**************2 The M and the 2 in the “encrypted” password lets you know what the rest of the password would be.

css.php