Every year or so, it’s worthwhile doing an audit of your online security. The most important accounts to protect are your bank accounts and your email accounts. Here are some things to consider doing:
– Choose strong passwords. Just as important: don’t re-use the same password across web services. Consider using a password manager like LastPass or 1Password to generate strong, secure passwords and keep them safe.
– Add two-factor authentication to your important accounts. Certainly your Gmail account, but also your Twitter account, domain registrar, etc.
– Let’s get specific on your Gmail/Google account now. Click into your account’s security settings. For Google, print out backup codes for your 2-step verification and put them somewhere safe. Add a recovery email account and phone number to your account. Check to make sure that everything looks locked down tight, e.g. no app passwords that you don’t remember.
– Make sure you put a PIN on your phone number or cell phone voicemail. Why? If Google or another service leaves a recovery code in your voicemail, you don’t want hackers to access your voicemail easily by spoofing caller ID.
– In Gmail, check for any unexplained filters or forwarding rules where a hacker could be forwarding your email to a different email address.
If you’re a CEO, high-profile individual, or at much greater risk of being hacked, consider these additional steps:
– If you already enabled two-factor authentication, consider getting a Security Key. Why? Because a Security Key should stop almost all phishing, even extremely targeted “spearfishing.” Security Keys are still new, but the protection they provide against phishing is extremely good.
– You might actually want to remove your phone number from Google or other account recovery systems. Why? Humans and customer service are usually the weakest link in a security system. Hackers may use social engineering to convince your cell phone provider to add a forwarding number, then attempt to hack your account by sending a recovery code to your phone number and listening on new/additional number.
To be clear, the vast majority of users will be more protected by adding a recovery phone number to their account. I would only remove the recovery phone number if 1) you are tech-savvy and 2) you believe that someone is likely to attempt to hack or stalk you.
Those are my major tips. What am I forgetting, or what advice would you give to protect your online accounts?