Securing gmail

Old Aug 24, 2012, 6:07 am
  #1  
Original Poster
 
Join Date: Dec 2003
Location: NYC
Posts: 6,458
Securing gmail

I've been wondering about best practices to secure gmail. A strong password and 2 factor authentication seem best, but I'm not sure what to do about password recovery.

1) Recovery options:

a) List a mobile phone. The problem is that phones can be lost or stolen. If it's a smartphone, the thief then has your email address and the means to take control.

If you use the mobile for 2 factor authentication, you'd seem to have the same problem if lost or stolen.

b) Recovery email address. That just seems to push the same problem to another level - how do you secure the recovery email address? Perhaps set up a gmail account purely for password recovery and protect it only with a secure password?

c) Security question. This does not seem to be offered for new accounts, but is available for older ones. The problem is if you use real info it's discoverable and if you make up info it's something else to remember. Perhaps put the security question into lastpass or the like.

2) If you have multiple accounts, should you use the same recovery info for all accounts? Single point of failure v. complexity.
richarddd is offline  
Old Aug 24, 2012, 7:45 am
  #2  
 
Join Date: Jun 2005
Location: Tri-State Area
Posts: 4,728
You're over-thinking this

Two step, coupled with backup email address, with mobile phone is plenty. And at the very least, generate backup set of 10 codes, print it out and put in secure place.
dtsm is offline  
Old Aug 24, 2012, 7:46 am
  #3  
FlyerTalk Evangelist
 
Join Date: Nov 2002
Location: ORD
Posts: 14,301
I use my cell phone and my parents' phone as a backup.

I think you're being unduly paranoid. If you're that worried about a concerted effort to break into you account, you likely have larger problems to deal with.

There is no such thing as foolproof security - just additional layers of complexity.
gfunkdave is offline  
Old Aug 24, 2012, 8:21 am
  #4  
Original Poster
 
Join Date: Dec 2003
Location: NYC
Posts: 6,458
It's quite possible I'm over-thinking and being unduly paranoid. OTOH, consider the Mat Honan saga, although we tend to overly focus on unusual noticeable incidents.

I have two-step (with google authenticator on my mobile). My major fear is someone taking the mobile.

I suppose I'll create a one-off gmail account as the password reset account, with a strong password but no recovery method
richarddd is offline  
Old Aug 24, 2012, 9:11 am
  #5  
Suspended
 
Join Date: Jan 2001
Location: ORD / DUB / LHR
Programs: UA 1K MM; BA Silver; Marriott Plat
Posts: 8,243
I would advise using a close friend or relative's account as the recovery account, rather than creating another Gmail address specifically for this.

Additionally, I presume your mobile is password protected?

That combination is pretty secure. Someone trying to access your account would have to:

1. Know your password
2. Have physical access to your mobile when the authentication code was sent, or have access to the recovery email account (which is masked when you try to use it, I believe?)
star_world is offline  
Old Aug 24, 2012, 9:15 am
  #6  
 
Join Date: Jun 2005
Location: Tri-State Area
Posts: 4,728
Originally Posted by richarddd

I have two-step (with google authenticator on my mobile). My major fear is someone taking the mobile.
You should password protect your mobile if possible. And if it's an iPhone, also set up to access remotely to wipe clean in case of lose or theft....

I would be more worried about someone accessing my bank data, etc. if I lose my mobile phone. That's why everything is locked in 1Password.

Other option is to throw away your smart phone and turn off your internet LOL
dtsm is offline  
Old Aug 24, 2012, 9:26 am
  #7  
Original Poster
 
Join Date: Dec 2003
Location: NYC
Posts: 6,458
Originally Posted by star_world
I would advise using a close friend or relative's account as the recovery account, rather than creating another Gmail address specifically for this.
Why?

Originally Posted by dtsm
That's why everything is locked in 1Password.
Lastpass is my current favorite.

I currently PIN protect my mobile. I suppose I should switch to password. I wonder how many people have any protection set.
richarddd is offline  
Old Aug 24, 2012, 9:55 am
  #8  
Suspended
 
Join Date: Jan 2001
Location: ORD / DUB / LHR
Programs: UA 1K MM; BA Silver; Marriott Plat
Posts: 8,243
Originally Posted by richarddd
Why?
Partly for convenience, but partly because it provides an "early warning" if someone attempts to send a password recovery request in an attempt to access your account. If you have such requests going to an orphaned account like this you may not be aware. You can mitigate this by auto-forwarding any emails sent to this account to your regular one though.
star_world is offline  
Old Aug 25, 2012, 6:39 pm
  #9  
FlyerTalk Evangelist
 
Join Date: Nov 2002
Location: ORD
Posts: 14,301
Remember that Mat's accounts were hacked because the hackers wanted access to his Twitter account. He had a three character account name - which is pretty rare.

If you don't have a short and catchy Twitter account handle or an account with zillions of followers, you're probably not a target.
gfunkdave is offline  
Old Aug 27, 2012, 6:37 pm
  #10  
 
Join Date: Aug 2010
Location: LAX
Programs: AA 2MM, SPG Gold, HH Diamond
Posts: 110
Originally Posted by richarddd
I've been wondering about best practices to secure gmail. A strong password and 2 factor authentication seem best, but I'm not sure what to do about password recovery.

1) Recovery options:

a) List a mobile phone. The problem is that phones can be lost or stolen. If it's a smartphone, the thief then has your email address and the means to take control.

If you use the mobile for 2 factor authentication, you'd seem to have the same problem if lost or stolen.

b) Recovery email address. That just seems to push the same problem to another level - how do you secure the recovery email address? Perhaps set up a gmail account purely for password recovery and protect it only with a secure password?

c) Security question. This does not seem to be offered for new accounts, but is available for older ones. The problem is if you use real info it's discoverable and if you make up info it's something else to remember. Perhaps put the security question into lastpass or the like.

2) If you have multiple accounts, should you use the same recovery info for all accounts? Single point of failure v. complexity.

Listing a mobile phone and 2 factor authentication are both good ideas, but they should only be done if your phone is passcode locked, and if it has remote wipe, that's even better.

I like the idea of a separate recovery email address used only for passwords with strong password

I dislike security questions for account recovery. (Seems to be a common way to compromise accounts these days)


To oversimplify, account security is a tradeoff between convenience and safety. The most convenient would be a single easy to remember password for all websites, obviously this is not safe. The ridiculous opposite extreme would be to memorize a unique 10+ character random password for each site. Of course, this is unreasonable.

Only you can determine what level of security/convenience you are comfortable with.
alan19 is offline  
Old Aug 27, 2012, 7:40 pm
  #11  
Original Poster
 
Join Date: Dec 2003
Location: NYC
Posts: 6,458
Originally Posted by alan19
To oversimplify, account security is a tradeoff between convenience and safety. The most convenient would be a single easy to remember password for all websites, obviously this is not safe. The ridiculous opposite extreme would be to memorize a unique 10+ character random password for each site. Of course, this is unreasonable.
That's not an oversimplifiction, that's conventional wisdom.

No need to memorize many passwords. With lastpass and similar products, all you have to memorize is one password.
richarddd is offline  
Old Aug 28, 2012, 5:15 pm
  #12  
 
Join Date: Aug 2010
Location: LAX
Programs: AA 2MM, SPG Gold, HH Diamond
Posts: 110
Originally Posted by richarddd
That's not an oversimplifiction, that's conventional wisdom.

No need to memorize many passwords. With lastpass and similar products, all you have to memorize is one password.


Yes I like lastpass a lot, couple of recommendations specifically for lastpass:

1. Use two-factor authentication
2. Require master password when viewing passwords.
3. Optionally, set up a security email address that is not in your vault and memorize that password
alan19 is offline  
Old Aug 29, 2012, 2:08 pm
  #13  
 
Join Date: Jun 2011
Location: I 35 south bound, finally stopped
Programs: LT Plt, 4mm, *A GLD, burned out medical provider, executing our estate plan
Posts: 1,667
here is one recommendation

http://www.pcworld.com/article/24265...martphone.html

encrypt your android

http://support.google.com/android/bi...answer=1663755

Also here is a good thing to use

https://www.boxcryptor.com/
boerne is offline  
Old Sep 2, 2012, 10:44 pm
  #14  
 
Join Date: Jun 2006
Location: STL
Posts: 1,559
I use 2 factor authentication. I have the backup passwords printed out and stored behind some stuff in my wallet (probably not the best place for it, but I won't lose it there) and use my work e-mail address as my recovery address.

The work email address probably isn't a good idea if you get your work e-mail on the same phone the Google Authenticator app is installed on, or your company absolutely does not allow any personal e-mail whatsoever under any circumstance. Fortunately, neither apply to me.

I also have my landline phone number as a backup option. I'm screwed if out of town, but a lot would have to go wrong to lose access to my account. I'd have to lose my phone, lose my wallet, lose access to work VPN/e-mail, and be away from home. Very slim chance of that happening.
t325 is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.