Google Account Security Best Practices

When YouTube product manager Rick Klau received an email from his father wondering what he should be doing to keep his account secure, the Google employee responded with this fairly comprehensive response—perfect for auditing your account security or for sending on to friends or family who could use the boosted privacy.

A family member recently asked me some questions about how to keep his Google account secure, and I wrote up a bunch of recommendations for how to stay safe. I then realised after I sent the email that this was probably good stuff to share for people who might not know about all of the options when it comes to protecting their account.

Bolster Your Google Account Security

1. Pick a strong password for your Google Account (in many cases, your Gmail address). Strong = not something you use everywhere else, a combination of letters and numbers, and at least one symbol in there is ideal. (Here are some tips on picking a good password if you need some ideas.)

2. Make sure your Google Account recovery options are set - visit the account recovery options page and make sure you have a backup email address, and that your mobile number is listed on your account. Should you ever lose access to your account, these will be instrumental in restoring access.

3. Set up Two Step Authentication on your Google Account. Details are here (or see this Lifehacker guide). You can set it up by starting at this link. What this does is block anyone else from logging into your account - even if they have your username and password. This requires you to have access to a physical device - your iPhone, Android or Blackberry phone - to ensure that you are really you. This may seem like overkill - but it's a key step to ensuring that your account is secure. There are ways committed hackers can discover your password - even if they get it they won't be able to do anything with it unless they also have your phone. Go through the process of installing the app on your phone (this page has the download link and instructions for setting it up); once done, here's how it will work:

  • the first time after you enable this, Google will ask you to log in. You'll provide your username and password, then Google will ask you for your "verification code". Launch the Google Authenticator app on your phone, and then type in the six-digit code from the phone into the verification code box in your browser.
  • if this is your computer, check the box "remember verification for this computer for 30 days" before clicking verify... you won't need to provide the verification for a month. (If it's a shared computer, don't check this!)
  • You'll see this anytime you try logging in from another computer (i.e., your laptop, your work computer, the iPad, etc.) - it's a bit more cumbersome (just a bit), but the advantage is that your account is far more secure than just a username/password. It's worth it.
  • 4. IMPORTANT: once you've set two step verification up, you may need to change the password for your phone and/or other apps that are communicating with Google's servers. (For instance, I had to do this for iMove this morning when uploading a video to YouTube.) Because these apps don't know how to check for the verification code (they just know username/password), Google has a back-up: an "application specific password" — you set these up here (see the bottom of the page: "application specific passwords"). Type in a name - say, Nexus S - and then click "generate password". You'll get an auto-generated string of characters, which you will then type into your phone or application's password field for your account.

    5. Check to see what applications/services you've authorised to have access to your Google Account. Go here and see what websites/applications are listed - these are services who you previously granted access to your Google Account. If there are any there you no longer use, or sites you didn't intend to authorise, click revoke. (I'll come back to this later - as you centralise your email, address book, calendar, etc. on your Google Account, authorising other services to access this info can be very powerful - but you will want to use discretion in deciding which services get access to this data. It probably goes without saying - only grant access to trustworthy sites who you have absolute faith will not compromise the integrity of your data.)

    6. Phone: if you don't already have a passcode on your phone, turn it on so that someone getting possession of your phone can't use it without knowing your passcode. (Otherwise anyone getting the phone can read your mail, receive "forgotten password" emails that would help them reset passwords on your account(s), etc.)

    If you do those things, you'll have dramatically increased the security of your information online, and prevented any ongoing security problems. Now here are some best practices to keep in mind:

    Google Account Security Best Practices

    1. Try and use your Google Account when you log in to other services. When prompted to create a new account, look for a "login with Google" option. This will allow you to use your Google identity on those sites - not only is this simpler for you (one less username/password to remember!), it's also more useful (the service can access your contacts/information, helping you avoid having to manually enter more info) and it's more secure (when you're through with the site, you simply revoke its access to your info).

    2. NEVER manually type your Google account information (username/password) into a webpage that is not owned/provided by Google. If you do this, you have no guarantee that the middle-man you've just shared your credentials with will protect that info. (This is why, by the way, Google's 2 step authentication is so useful - even if you did this, your info would be useless without the phone verification code. So long as you retain control of that, you're safe!) Whenever you're asked to login w/Google, the right way to do this is for them to send you to Google (look in your browser's address bar: is the URL google.com?), where you are asked to login if you're not already logged in, then you are asked whether you want to grant access to the referring app. Say OK, and you'll be returned to the app, which is now approved by Google.

    3. Keep an eye on Gmail's "last account activity" feature if you're concerned that someone else may be accessing your account. Towards the bottom of the page in Gmail you'll see something that says "last account activity". Click "Details" to see a report of where your account is being accessed from; you can sign out all other sessions from that page, as well as review the actual location/IP address of any other computers accessing your account. (Gmail keeps an eye on this as well, and may contact you if suspicious activity is detected.)

    4. Don't email sensitive files as attachments. Upload the files you want to share to Google Docs, and use Docs to control access to the files. Ideally you will share the file with a Google Account user. This is the most secure, and is helpful in the event you ever want to stop sharing with that user - you simply remove them from the list of people who can view the file. If that's not an option - the user doesn't have a Google Account, for instance - you can set the document's visibility to 'anyone with the link'. This has some risks - the person you share with can share the link with someone else - but you retain control of the document, which means you can delete it, or update the security settings to require login to view... either of which is much more secure than files you email as attachments, which you lose control of the minute you hit 'send'. And whatever you do, be smart about who you email those files (links or otherwise) to in the first place.

    5. Don't send passwords in email. While Gmail uses https to encrypt all traffic between your browser and the Gmail server, there's no guarantee that the recipients of your emails containing passwords are similarly secure.

    Any other tips for keeping your account secure? Let's hear 'em in the comments.

    Rick Klau is a Product Manager at YouTube, where he focuses on the homepage and social features across the site. His blog is at http://tins.rklau.com, his YouTube channel is at http://www.youtube.com/rklau and you can follow him on Twitter @rklau.


Comments

    Here are some other tips readers may find useful.

    Such as enable SSL, and follow Google's security checklist (For gmail) + more
    http://www.jackcola.org/blog/137-how-to-protect-yourself-online-while-using-facebook-gmail-and-other-websites

    and how to help protect your online identity
    http://www.jackcola.org/blog/122-how-i-protect-my-personal-and-online-identity

    If I provide my mobile number to Google for account recovery purposes, is it secure?

    I fear my mobile number will be provided (either deliberately or by accident) to advertisers etc who send spam SMS messages.

      No, they don't send spam. They have had my phone number for well over a year now and I have never received any form of spam.

    None of this fixes a major issue I am in the middle of:

    I created, in my own time from my own computer, a YouTube Channel for the company I worked for but now do not work for them.

    At some stage, I gave over the channel to the owner of the company by giving him my email address & password. This was all BEFORE the whole Google linking to YouTube confusion.

    The owner of the company then changed the login details to a gmail email address with a new password, which I also know.

    Now the owner has somehow created another username for the same Google account and has uploaded his first video to that newer username.

    If we log in to YouTube with his email address and his password, only the new username/account/video (single video) is visible.

    But, if Im logged in and click on my browsers BOOKMARK for my/our YouTube Channel.... my old original channel with 200 videos comes up. As soon as I click on Account or anything, it goes to the new account with the single video.

    How can we sort out this mess?

    Ideally, I would like to remove/delete the old account/username so that all the old videos (200 of them) are gone so that there is only a single username/account with currently a single video for a fresh start for the company.

    It is so confusing my brain is melting.

    "This requires you to have access to a physical device – your iPhone, Android or Blackberry phone – to ensure that you are really you."

    I find it disconcerting that I am now only really me when my phone is plugged into my head. I feel like a cyborg.

    What happens with two step authentication when I lose, break, change my phone?

    I think I liked it better when "Two Step Authentication" involved a couple of long-neck Budweisers, a Texas blond and a little "Boot-Scootin' Boogie".

Join the discussion!

Trending Stories Right Now