October 7, 2010

Gmail's Security Checklist

Gmail's support site has a security checklist that's useful if you want to make sure that your Gmail account is secure. There are some obvious tips like updating your operating system and your browser, but Google also posted some advanced tricks:

1. "Check the list of websites that are authorized to access your Google Account data. Make sure that the list of authorized websites are accurate and ones that you have chosen. If your Google Account has been compromised recently, it's possible that the bad guys could have authorized their own websites to access your account data." To edit the list of authorized websites, go to this page.

2. "Check your browser for plug-ins, extensions, and third-party programs/tools that require access to your Google Account credentials. Plug-ins and extensions are downloadable computer programs that work with your browser to perform specific tasks. For example, you may have downloaded a plug-in or extension that checks your Gmail inbox for new messages. Google can't guarantee the security of these third party services. If those services are compromised, so is your Gmail password."

3. "Confirm the accuracy of your mail settings to ensure that your mail stays and goes where you want it to. Sign in to your account and click on the Settings link at the top to check the following tabs:

* General: Check Signature, Vacation Responder, and/or canned responses for spammy content
* Accounts: Verify your Send Mail As, Get mail from other accounts, and Grant access to your account are all accurate.
* Filters: Check that no filters are sending your mail to Trash, Spam, or forwarding to an unknown account.
* Forwarding and POP/IMAP: Ensure your mail isn't sent to an unknown account or mail client."

4. "Check for any strange recent activity on your account. Click the Details link next to the 'Last Account Activity' entry at the bottom of your account to see the time, date, IP address and the associated location of recent access to your account."

5. "Use a secure connection to sign in. In your Gmail settings, select 'Always use HTTPS.' This setting protects your information from being stolen when you're signing in to Gmail on a public wireless network, like at a cafe or hotel."

9 comments:

  1. All checked! Don't forget to update.

    ReplyDelete
  2. Too bad that Gmail gadget in iGoogle can't use HTTPS.... :(

    ReplyDelete
  3. And check browsers for any forged certificates that have been installed as trusted root certification authorities.

    ReplyDelete
  4. Grr, yet again I run into problem with my Google Apps account. What URL do I need to access the list of authorized websites? Using the "sign in as a different user" option only allows me to login using non-app accounts. Lord knows why but the silly account system lets me have two accounts with the same email address (thomas@[mydomain]). One for apps and one for gmail. uber frustrating. I really wish I could have a merge account feature.

    ReplyDelete
  5. There is one thing here that really ticks me off. Checking "Last Account Activity" reveals my account has been accessed from China (ny.adsl:123.11.69.92) and I am told I should change my password. That means I will need to change it on every one of my devices and software packages I use to access my account. What a pain! Google should should be more secure! Provide tools to better throw out, delete, kill unauthorized access. By establishing Gmail Google is implying the service will be safe. THEY must make it so.

    ReplyDelete
  6. Excellent, according to this checklist, my account is secure. :-)

    Tim - If you have so many devices and "software packages" that need to have your Gmail account information, how can you be blaming Google for your account's insecurity. They didn't tell you to go and use third-party software, and Alex specifically says in this article "Google can't guarantee the security of these third party services." Your security is only guaranteed as far as YOU protect it. If you hand out your account info to any third-party who asks for it, you should expect to see strange things happening to your account.

    Maybe try this: change your Gmail password, and only change the account info on one device/application per day (a week would probably be better), and see when the strange access pops up again. Then you'll know the culprit. Change your password again, and ditch the application/web service that misused your data. It's not a quick and easy solution, but it should help you at least narrow down the source.

    In the future, you should be more careful about who you give sensitive data to. I'm sure you wouldn't give bank account information to third-party applications (or Nigerian princes), but if you did, you'd be a fool to blame the bank for any damages, since you gave your info out in the first place.

    ReplyDelete
  7. How about Google copy the one thing Hotmail does better and make it harder for people to change the password reset questions if they have accessed the account by using a key logger.

    Single use sign-ons for public computers would also be welcome.

    ReplyDelete
  8. Good points to start with...but what about cookies? Who is gonna manage em?

    ReplyDelete
  9. In the 'Last Account Activity window' there's the option: "Close all sessions". If I forgot a session opened in the office, for example, and use this option in home PC - the session is closed even when the computer in office is turned off?

    ReplyDelete

Note: Only a member of this blog may post a comment.