I've been wondering about best practices to secure gmail. A strong password and 2 factor authentication seem best, but I'm not sure what to do about password recovery.

1) Recovery options:

a) List a mobile phone. The problem is that phones can be lost or stolen. If it's a smartphone, the thief then has your email address and the means to take control.

If you use the mobile for 2 factor authentication, you'd seem to have the same problem if lost or stolen.

b) Recovery email address. That just seems to push the same problem to another level - how do you secure the recovery email address? Perhaps set up a gmail account purely for password recovery and protect it only with a secure password?

c) Security question. This does not seem to be offered for new accounts, but is available for older ones. The problem is if you use real info it's discoverable and if you make up info it's something else to remember. Perhaps put the security question into lastpass or the like.

2) If you have multiple accounts, should you use the same recovery info for all accounts? Single point of failure v. complexity.

You're over-thinking this

Two step, coupled with backup email address, with mobile phone is plenty. And at the very least, generate backup set of 10 codes, print it out and put in secure place.

I use my cell phone and my parents' phone as a backup.

I think you're being unduly paranoid. If you're that worried about a concerted effort to break into you account, you likely have larger problems to deal with.

There is no such thing as foolproof security - just additional layers of complexity.

It's quite possible I'm over-thinking and being unduly paranoid. OTOH, consider the Mat Honan saga, although we tend to overly focus on unusual noticeable incidents.

I have two-step (with google authenticator on my mobile). My major fear is someone taking the mobile.

I suppose I'll create a one-off gmail account as the password reset account, with a strong password but no recovery method

I would advise using a close friend or relative's account as the recovery account, rather than creating another Gmail address specifically for this.

Additionally, I presume your mobile is password protected?

That combination is pretty secure. Someone trying to access your account would have to:

1. Know your password
2. Have physical access to your mobile when the authentication code was sent, or have access to the recovery email account (which is masked when you try to use it, I believe?)

You should password protect your mobile if possible. And if it's an iPhone, also set up to access remotely to wipe clean in case of lose or theft....

I would be more worried about someone accessing my bank data, etc. if I lose my mobile phone. That's why everything is locked in 1Password.

Other option is to throw away your smart phone and turn off your internet LOL

Why?

Lastpass is my current favorite.

I currently PIN protect my mobile. I suppose I should switch to password. I wonder how many people have any protection set.

Partly for convenience, but partly because it provides an "early warning" if someone attempts to send a password recovery request in an attempt to access your account. If you have such requests going to an orphaned account like this you may not be aware. You can mitigate this by auto-forwarding any emails sent to this account to your regular one though.

Remember that Mat's accounts were hacked because the hackers wanted access to his Twitter account. He had a three character account name - which is pretty rare.

If you don't have a short and catchy Twitter account handle or an account with zillions of followers, you're probably not a target.

Listing a mobile phone and 2 factor authentication are both good ideas, but they should only be done if your phone is passcode locked, and if it has remote wipe, that's even better.

I like the idea of a separate recovery email address used only for passwords with strong password

I dislike security questions for account recovery. (Seems to be a common way to compromise accounts these days)


To oversimplify, account security is a tradeoff between convenience and safety. The most convenient would be a single easy to remember password for all websites, obviously this is not safe. The ridiculous opposite extreme would be to memorize a unique 10+ character random password for each site. Of course, this is unreasonable.

Only you can determine what level of security/convenience you are comfortable with.

That's not an oversimplifiction, that's conventional wisdom.

No need to memorize many passwords. With lastpass and similar products, all you have to memorize is one password.

Yes I like lastpass a lot, couple of recommendations specifically for lastpass:

1. Use two-factor authentication
2. Require master password when viewing passwords.
3. Optionally, set up a security email address that is not in your vault and memorize that password

here is one recommendation

http://www.pcworld.com/article/24265...martphone.html

encrypt your android

http://support.google.com/android/bi...answer=1663755

Also here is a good thing to use

https://www.boxcryptor.com/

I use 2 factor authentication. I have the backup passwords printed out and stored behind some stuff in my wallet (probably not the best place for it, but I won't lose it there) and use my work e-mail address as my recovery address.

The work email address probably isn't a good idea if you get your work e-mail on the same phone the Google Authenticator app is installed on, or your company absolutely does not allow any personal e-mail whatsoever under any circumstance. Fortunately, neither apply to me.

I also have my landline phone number as a backup option. I'm screwed if out of town, but a lot would have to go wrong to lose access to my account. I'd have to lose my phone, lose my wallet, lose access to work VPN/e-mail, and be away from home. Very slim chance of that happening.