So recently Jonathan Moyo, a prominent and outspoken Zimbabwean politician, had his Gmail account hacked. Given how he is a professor and he was hacked, how do we ordinary people secure our Gmail accounts from those who seek to get our data? Here are some things you could do to get started on building a fort around your Gmail account.
It all starts with reviewing the status of your Gmail account
For you to know what you need to do, you first have to know the security status of your Gmail account. Simply go to security check up section of your Gmail account settings. This step will show you the different areas associated with the security of your account e.g your password, recovery information, account permission, Gmail settings and 2-step verification settings.
Get a stronger password
Once you’ve reached the security checkup section, you’ll be shown a section for your password as the first section. Even though it says security check-up, it doesn’t seem to tell you how strong your password is, so it’s up to you to get a strong password.
Generally, a strong password is one that has a mixture of letters, numbers, and symbols. It shouldn’t be easily guessed or associated with your personal details e.g your name or the city you live. A strong password is important because it is the main door to getting into your account. Password managers make it easy for you to create a strong password so you might want to consider starting to use one.
Once you’ve generated a strong password from a password manager or you’ve come up with one, change the password from that section. To keep your account secure, you should change your Gmail password every 3 months, so in a year you’ll have around 4 different passwords. If you want to be more secure then you can even increase the frequency of password changes.
Don’t set up 2 step verification this way
Remember how we likened a password to the main door? 2-step verification adds a second door for someone to go through before they gain access to your Gmail. Now, I’ve heard a lot of people saying 2 step verification can be hacked easily and that it’s not really that useful, I think they’re right but at the same time, it can be easily hacked if you don’t use the better versions of it.
The most common example of 2 step verification is one where you get an SMS or a call with a 6 digit code that you will enter before you are able to gain access to your account. This is usually activated to safeguard against people logging into your account easily as it is triggered when a new device is detected to be trying to sign in.
This method of 2 step verification can be bypassed or hacked if someone manages to intercept the SMS or call and get the code instead of you. Due to this, some people have automatically ruled out 2 step verification but that is just one way of doing it on a Gmail account.
Do consider Google Authenticator for Gmail 2 step verification
Another method of 2 step verification is using the Google Authenticator app. The app generates the codes and they are only accessible from your phone since it is the one that is linked to your account through the Google Authenticator app. When someone tries to log into your Gmail account from a different device, they will need to get a code from that app. So if they don’t have your phone then they’ll have a difficult time getting in.
What if you lose your phone and you were using Google Authenticator for 2 step verification?
Generate backup codes for offline use or when you lose your phone
Google allows you to generate 10 unique backup codes that you can use in the event that you’re either offline and a can’t use Google Authenticator app or maybe your phone has been stolen/lost. You will be able to use those codes to login to your Gmail account using one of the codes. Once you use a code, you will not be able to use it again.
These codes can be printed so that you can have them with you even if you don’t travel with any of your gadgets.
If you really want to make things super difficult for anyone to log in, consider this
To make it super difficult for anyone else to log into your Gmail account and make it very secure, consider using a physical security key. This is basically a device which you have to plug into one of your computer’s USB ports and it will act like the Google Authenticator app and allow you to login to your account. If no one else has that device then they can’t log in even if they know your password and vice versa.
For you to be able to use such a device as your 2 step verification, you’ll need to set up at least 1 backup option. In that case, you could then use backup codes for the alternative option for you to login to your device in case you’re not near that physical security key device. All this is great for security but it can be quite inconvenient.
You can have convenience without sacrificing security
If you have a strong password then you can enjoy the convenience of some of the other methods of 2 step verification. For example, you could use Google prompt as your second door. So whenever you try to login to your Gmail account from a new device, a pop-up prompt will show up on your linked device once you’ve entered the password.
All you have to do is take yes or no to allow the device to be logged in. This saves you time if you’re constantly near your phone. To make sure you eliminate other inconveniences that might arise if you don’t have your phone nearby for you to tap yes, you could setup multiple backup 2 step verification methods.
So your primary might be Google Prompt followed by Google Authenticator and if you still don’t have access to both those, you can have backup codes and if push comes to shove setup SMS/call verification. If you’re not a large target then chances are that any one of those will do and someone won’t probably put that much effort to intercept your SMS code if they don’t see the value in it.
However, if you’re a popular person then make it as difficult as you can while still maintaining some sort of convenience so you don’t lose your mind every time you try to login to your Gmail account. These are not all the ways you can secure your Gmail account, these are just the ones that Google offers to you that you could use to be secure enough. So if you know more, do let us know in the comments section.
Let us know what you think about all these different methods of securing your Gmail account. Do you think they work? What would you like to be added as a 2 step verification method? Is your Gmail secure?
11 comments
I use Authy to log on to all my online accounts. Cannot live without it.
Good advise but Moyo’s gmail being hacked??
Trust Moyo at your own risk
this is a good article overall but i think it is somewhat misleading to suggest that it is easy for someone to intercept a call or sms message coming into your phone. Whilst I am sure it can be done its not something that the average person/hacker is able to do with ease. i would think that this method of 2 step authentication is acceptable and safe.
How do you intercept an SMS destined as a OTP ?
At times you guys waffle.Stick to what you know.
2-way verification is the safest.
Was curious about that too. The author makes it sound so trivial. They are also forgetting that SMSes and calls work when your verfication device is offline.
Nezvimbudzi too 😉
Thanks for the feedback. 2 step verification can be done using other methods other than just SMS which is what I tried to outline in the article as some people have said it’s not useful because some people out there are able to intercept the SMS but in fact it is useful because there’s more than one way of doing 2 step verification and like you said, it’s not as easy as some people have said it is when they discounted 2 step verification. Thanks again, would like to hear more about what you think about the subject.
How many are the “some people” that can actually intercept an SMS? And, of those how many are in Zimbabwe? The non-trivial proof of concepts done by high tech security teams use $5,000 equipment. Further to that, one first needs to acquire the specific IMSI for that subscribers SIM for the line linked to their Gmail account, requiring close proximity to the target. Absent that you have to get the users physical device, to which any other form of 2 Step authentication is vulnerable.
Alright. Thanks for sharing.
I doubt that there is anything called “safe” or “secure” when one is:-
1. using shareware or freeware etc. Ask yourself, why do companies offer freeware or shareware? They want your data or traffic – why should they waste time, effort and money making it difficult for them to get what they need?
2. saving their files on a server or computer on which they have no control but lots of faith. I trust & believe in the Lord, but I lock my house & car!
3. not fully aware of what computer safety or security actually is.
Computers are now ubiquitous and the majority of computer users have a very limited grasp of the complexity of communication between devices at the various OSI model layers. This is because most users are “stuck” at the application layer, everything else being a “black box” just like car drivers.
My take is, if you have highly confidential stuff, save it on media (not devices) that you can touch and feel and keep that in a safe, secure place. Once you outsource this forget “security” because you have NO control thereafter just loyalty or faith in the service provider, who may have rogue elements amongst their staff.
Public domain emails and social media do not offer much security because it is not their core business or even in their interests to do so. Besides, it costs money to build in reliable security into applications. Accounts in linkedIn, facebook, whatsapp etc all have been hacked at some point.
Much as we might resent it, there are folks out there who have the skills, knowledge, tools, patience, experience, time and money to play around testing security to the limit – you can never beat them. They enjoy the thrill of cracking systems!
Interesting views you got there and I do agree with some of the stuff. Thanks for sharing.