It’s not always obvious but your email account is one of the most important things you have on the Internet. (Jeff Attwood wrote a really good post about this back in 2008!)
Your email account is like the keys to the city because when you sign up for just about any service on the Internet they’ll ask you for your email address. If you forget your login details guess where they’ll send your password reminder?
This means if someone can get access to your email account getting into anything else is pretty simple. Also consider that email accounts now give us gigabytes of storage so we rarely delete emails meaning it’s not difficult to browse through old messages and figure out what accounts to target.
So why is it a big deal? Your money and your identity!
If you pay for stuff online it’s highly likely you’ll be using something like PayPal.
Once this person has your email address resetting the passwords to those other services is a bit of a doddle and they are free to do whatever they want with your cash! Yes you may eventually realise what’s going on and cancel the card but how long will that take and how much inconvenience will it cause?
More and more websites are allowing you to sign in with credentials from other websites.
So what to do?
First make sure you’ve got a good password..that goes without saying. If you want an additional layer of security you should think about activating two factor authentication for your Google account.
What’s two factor authentication?
To login to a website at the moment all you have is something you know.
The problem with that is if someone else knows the same thing you can’t do much about it.
Two Factor Authentication means that as well as something you know you also rely on something you have.
Google are calling this “Two Step Verification” – presumably to make it sound a little less scary.
All well and good but Google aren’t going to hand out tokens to everyone right?
In a manner of speaking yes they do.
There is one thing that just about everyone who uses a computer will have on their person at all times
A mobile phone.
Here’s how it works.
You can’t login until you’ve provided the code.
You can then optionally choose to stay logged into that computer for 30 days.
This means if anyone else guesses your password they still won’t be able to login!
There is also an app you can use as an alternative way to do this that effectively turns your phone into a SecurID token and doesn’t even require an active internet connection. This is called Google Authenticator.
It’s worth mentioning that other services also have similar schemes
Hotmail will send you single use code via text message if you’re on a computer you wouldn’t normally use. These codes expire after 15 minutes and you enter it instead of your password. It’s not quite two factor authentication but would stop a keyboard logger from stealing your password. Details on that are here.
Facebook will send you a code via text message when you login to a computer it doesn’t recognise (you can authorise your computers) they call this “Login Approvals”. Details are here. Only thing I’ll say about this is that when I tried to set it up I gave up after 30 minutes as I didn’t receive the first text message!
I’m talking specifically about Gmail here though as it was the first account I held that offered this extra security.
Setting it up is pretty straightforward.
1) Visit this link: https://www.google.com/accounts/SmsAuthConfig and sign in.
3) Choose whether you’d like to receive your codes by text or by voice call. You can always change this later.
4) Enter your phone number, then click Send verification code to receive a code on your phone.
5) Enter the code from the text or voice message into the box, then click Verify.
6) Next you’ll be asked whether you want to remember the computer you are using. If you check the box, you won’t need to enter a code to sign on with this computer for the next 30 days. Don’t check this box if you are using a public computer or a device that you don’t regularly use to sign in.
7) Click Turn on 2-step verification to finish the process!
Done! At this stage if you wanted to use the Google Authenticator app you can set this up with these instructions.
The only other thing left to consider are any applications that may be accessing your account where you can’t use the verification process. You may be checking your email via Outlook or via an app on your phone for example. It’s designed to ask for a user name and password and doesn’t know anything about verification codes.
To get around this you can generate an application specific password. This is a password that when Google receives it in combination with your user name won’t ask for verification. Google will generate a password for you that you enter into the application. It doesn’t get used anywhere else so you don’t have to memorise it.
These passwords can be revoked at any time if you’re worried it may have been compromised or if you want to generate a new one. Google has good setup instructions for this here. (otherwise this post would end up even longer than it is!)
Hopefully all this makes sense and it’ll at least make you think about how you secure your important accounts. It’s good that companies are taking steps to help improve security which will only improve over time but ultimately you’re responsible for your own data.