Originally Posted by
richarddd
I've been wondering about best practices to secure gmail. A strong password and 2 factor authentication seem best, but I'm not sure what to do about password recovery.
1) Recovery options:
a) List a mobile phone. The problem is that phones can be lost or stolen. If it's a smartphone, the thief then has your email address and the means to take control.
If you use the mobile for 2 factor authentication, you'd seem to have the same problem if lost or stolen.
b) Recovery email address. That just seems to push the same problem to another level - how do you secure the recovery email address? Perhaps set up a gmail account purely for password recovery and protect it only with a secure password?
c) Security question. This does not seem to be offered for new accounts, but is available for older ones. The problem is if you use real info it's discoverable and if you make up info it's something else to remember. Perhaps put the security question into lastpass or the like.
2) If you have multiple accounts, should you use the same recovery info for all accounts? Single point of failure v. complexity.
Listing a mobile phone and 2 factor authentication are both good ideas, but they should only be done if your phone is passcode locked, and if it has remote wipe, that's even better.
I like the idea of a separate recovery email address used only for passwords with strong password
I dislike security questions for account recovery. (Seems to be a common way to compromise accounts these days)
To oversimplify, account security is a tradeoff between convenience and safety. The most convenient would be a single easy to remember password for all websites, obviously this is not safe. The ridiculous opposite extreme would be to memorize a unique 10+ character random password for each site. Of course, this is unreasonable.
Only you can determine what level of security/convenience you are comfortable with.