WWW.COMPUTERWORLD.COM
10 steps to smarter Google account security
There are important accounts to secure, and then there are important accounts to secure. Your Google account falls into that second category, maybe even with a couple of asterisks and some neon orange highlighting added in for good measure.I mean, really: When you stop and think about how much stuff is associated with that single sign-in your email, your documents, your photos, your files, your search history, maybe even your contacts, text messages, and location history, if you use Android saying its a sensitive account seems like an understatement. Whether youre using Google for business, personal purposes, or some combination of the two, you want to do everything you possibly can to keep all of that information locked down and completely under your control.And guess what? Having a password that you hastily set seven years ago isnt enough. With something as priceless as your personal data, that single key is only the start of a smart security setup. And even it might be due for an upgrade.Take 10 minutes to go through these steps, then rest easy knowing your Google account is as guarded as can be.Part I: Reinforce your front doorStep 1: Check up on your Google account passwordWell start with something simple but supremely important that aforementioned Google account password. Consider the following questions:Is your Google password based on your name, the name of your partner or child, your birthday, your street address, or anything else someone could easily figure out by Googling you?Does your Google password revolve around a common word or easily guessable pattern?Is your Google password short less than eight characters, at a minimum?Do you use your Google password (or any variation of it) to sign into any other app, website, or service?If the answer to any of those questions is yes, first, bop yourself firmly on the nose. Then use this link to go change your password immediately preferably to something long, complex, and not involving any easily discoverable personal info, any common words or patterns, or anything you use anywhere else.(And note: This is also where a reliable password manager whether the basic Google Password Manager or a more fully featured third-party option can make all the difference in the world.)Got it? Good. Next:Step 2: Give your Google account a second layer of protectionNo matter how strong your Google account password is, theres always still the chance someone could crack it but you can exponentially reduce the risk of anyone actually getting into your virtual property by enabling two-factor authentication on your account.With two-factor authentication, youll be prompted for a second form of security in addition to your password ideally something that requires a physical object thatd only ever be in your presence. In its simplest effective form, that could be a prompt or a code generated by your phone. If you want to get really fancy, it could be a button pressed on an actual key you carry (which could be a special USB- or Bluetooth-based dongle or even something built into your phone) sometimes even called a passkey, which is basically just a confusing and overcomplicated way to say the same thing. Theres also an option to have codes sent to you via text message, but that method is relatively easy to hijack and thus not generally advisable to use.Whatever path you choose, having that second layer in place will make it incredibly difficult for anyone to get into your Google account, even if they do somehow know your password.Two-factor authentication makes it significantly more difficult for anyone to get into your Google account.JR Raphael / IDGIf you dont have it set up yet, go to Googles 2-Step Verification page to get started.Step 3: Make sure youre prepared to prove your identityIf Google ever detects some sort of suspicious activity on your account, it might require you to verify your identity before it lets you sign in. And if you havent looked at your account verification settings in a while (or ever, for that matter), theres a decent chance the necessary info might be out of date or missing altogether.Take a minute now to open up Googles account security site and look in the section labeled How you sign in to Google. There, among other things, you should see two options:Recovery phoneRecovery emailIf the value next to either option is not current and correct, click it and update it immediately.And with that, were ready to move on to our next level of Google account protection.Part II: Clamp down on connectionsStep 4: Review the third-party services with access to your accountWhen you set up an app that interacts with Google in some way on your phone, on your computer, or even within a Google service such as Gmail or Docs that app gets granted a certain level of access to your Google account data.Depending on the situation, that could mean its able to see some of your activity within specific Google services; it could mean its able to see everything in your Gmail, Google Calendar, or Google Drive; or it could mean its able to see everything across your entire Google account.Its all too easy to click through confirmation boxes without giving it careful thought so look back now and see exactly what apps have access to what types of information. Visit Googles third-party app access overview and look through the list of connected services. If you see anything there you no longer use or dont recognize, click its line and then click the button to remove it.Review your third-party app list and remove any items that no longer need access to your Google account.JR Raphael / IDGAllowing apps you know and trust to access your account is perfectly fine, but you want to be sure to revisit the list regularly and keep it as current and concise as possible.Step 5: Review the devices with access to your accountIn addition to apps, youve almost certainly signed into your Google account on a variety of physical devices over the past several months (and beyond). And often, once youve signed in at the system level, a device remains connected to your account and able to access it no matter how long its been since youve actually used the thing.You can close that loop and take back control by going to Googles device activity page. If you see any device there that you no longer use or dont recognize, click the three-dot menu icon within its box and sign it out of your account right then and there.Step 6: Look over app permissions on your phoneAnother important app-related consideration: If youre using Android, some system-level permissions such as those connected to your contacts and calendar can effectively control access to areas of your Google account data, since services such as Google Contacts and Google Calendar sync that data between your phone and the cloud.Head into the Security & Privacy section of your phones system settings and look for the line labeled Permission manager. (Depending on your device, you might have to tap a line labeled Privacy controls before you see it.) If you cant find it, try searching your system settings for the phrase permission manager instead.Once you get there, you can look through each type of permission and see which apps are authorized to access it and, with a couple more taps, revoke the permission from any apps where that level of access doesnt seem necessary.Android makes it easy to review and adjust an apps permission, if you know where to look.JR Raphael / IDGStep 7: Look over extension permissions in your browserOn the desktop, extensions added into Chrome or any other browser have the potential to expand your browsers capabilities but they also have the potential to put your privacy at risk.Extensions could require access to anything from your complete browsing history to your system clipboard. They can often read and change data on sites youre actively viewing, too either any and all sites or only specific pertinent URLs, depending on the specific permissions requested.None of this is necessarily bad, so long as the extension in question is reputable and requesting only the permissions it genuinely requires for the function it provides. But sometimes, even the most well-intending developers can get lazy and go with a broader permission than what their software actually needs. And in such an instance, an extension that does something as simple as enhancing the Gmail interface or allowing you to save articles for later could have access to everything you do in your browser and the sort of broad data thats typically kept under lock and key inside your Google account could be shared with external entities for no good reason.So lets do a quick little assessment, shall we? If youre using Chrome, type chrome:extensions into your browsers address bar. If youre using another browser, look in its main menu to find the equivalent option for managing extensions or add-ons, as theyre sometimes also called.Once youre looking a list of all your installed extensions, click the Details or Options button for every extension on the page. Peek at the Permissions section within each one and then take a close look at the Site access section, in particular. Think carefully about the level of access thats granted there and whether its genuinely needed or whether itd make sense to bring it down a notch and make it more limited in nature.With Chrome and other Chrome-based browsers like Microsoft Edge and Vivaldi if the extension seems like it really only needs access to a specific site or domain and its requesting access to your activity on all sites, click the dropdown menu in that area and change its setting from On all sites to On specific sites (which lets you provide a specific, limited list of URLs on which the extension will have full visibility).Chrome and other Chrome-based browsers make it easy to view and adjust the permissions for any browser extension youre using.JR Raphael / IDGJust remember that many extensions do legitimately need certain levels of access in order to operate so make these changes cautiously and only after carefully thinking through the potential implications. Worst-case scenario, though, if you bring an extensions access down and then find its no longer working as expected, you can always come back to this same area of your browsers settings later and change it back.Firefox, incidentally, doesnt allow this level of granular permission-granting so if you find an extension there is accessing more than youre comfortable with, your only real option is to uninstall it entirely.Speaking of whichStep 8: Get rid of any mobile apps and browser extensions you dont needWhile youre thinking about third-party add-ons for your computer and phone, take a moment to review everything you have installed on both fronts and consider how many of those programs you actually still use. The fewer cracked windows you allow on your Google account, the better and if you arent even using something, theres no reason to keep it connected.And with that, were ready for our final two parts of account-protecting possibilities.Part III: Plan for the worstStep 9: Set up or confirm your virtual Google willThinking about worst-case scenarios is never particularly pleasant Id much rather be eating crumpets, myself but just as its important to have a plan in place for your physical and financial possessions, creating a virtual will for your Google account will make matters infinitely easier for your loved ones if and when you ever develop a mild case of death.For company-managed Google Workspace accounts, someone at your organization would be able to take control of your account in the event that you were no longer able to access it. But with an individual Google account, no such system for passing along access exists.Google has a simple system in place to manage this: Open up the Inactive Account Manager, and youll find tools for determining exactly what should happen if your account ever becomes inactive for a certain period of time. You can specify the number of months that must go by without any sign of your presence, along with the email addresses and phone numbers Google should use to contact you for confirmation. And then, you can give Google the email addresses of any people you want to be notified once its clear that youre no longer available.From there, you can specify exactly what types of information your chosen contacts will be able to access. Youll even be able to leave a message for those people, if you want, and optionally create a broad autoreply thatll be sent to anyone who emails you once your inactive period has begun (creepy!).Googles Inactive Account Manager is like a virtual estate planning tool for all of your account-associated data.JR Raphael / IDGEven if youve gone through this process before, its worth going back in and revisiting your preferences occasionally to confirm the info is all still complete and accurate not only in the specific contacts you have set to be notified but also in what specific areas of your account those people will be able to access, if this situation ever actually arises.For that latter piece of the puzzle, be sure to click the pencil-shaped icon next to the email address of each person you have listed. After you confirm their address, thatll show you a list of account-related areas everything from Contacts and Calendar to Google Chat, Google Photos, and even your location history (if youre using a device that contributes to such a collection).Virtually every time Ive ever looked at that, Ive found a handful of newer account-related areas werent selected to be shared presumably because they didnt exist when I had last reviewed the options. I had to manually check them all to be sure theyd be included in any post-consciousness account sharing.Part IV: Turn your protection up to the maxStep 10: Think about Googles Advanced Protection ProgramLast but not least is a step that wont be right for everyone but could be hugely consequential for certain types of Google users. For anyone at a higher risk of a targeted attack, Google offers an elevated form of account security called the Advanced Protection Program.The program is described as being appropriate for business leaders, IT admins, activists, journalists, and anyone else whos in the public eye and likely to be sought out by someone looking to do damage. It puts a series of heavy-duty restrictions on your Google account to make it especially difficult for anyone else to gain access but as a result, it also makes things a bit more difficult for you.The core part of the Advanced Protection Program is a requirement to have a physical security key the first time you sign into your account on any new device. That means in addition to your password, youll need that specific form of two-factor authentication either an approved key built into your phone or a standalone dongle in order to access your email, documents, or any other area of your Google account.As part of the added security, you also wont be able to connect most third-party apps to your Google account including those that require access to your Gmail or Google Drive in order to operate. That could create some challenges (such as signing into an Android TV device, curiously enough) and require some compromises (such as no longer being able to use most third-party email clients with Gmail). And if you ever cant get into your account for any reason, youll have to go through an extra-involved, multiday recovery process in order to restore access. You can read more about what the Advanced Protection Program is like to live with in this thoughtful overview.Ultimately, only you can decide if the added inconveniences are worth the extra assurance. If you want the utmost in security for your Google account, though and particularly if youre someone whos at a higher-than-average risk of being targeted its something well worth considering.If you do want to make the leap and add this extra layer of intense security onto your Google account, head over to Googles Advanced Protection Program website to get started. With a personal account, youll be able to get yourself up and running in a matter of minutes. With an account thats part of a paid company Workspace plan, your plan administrator will have to enable Advanced Protection for the organization before youre able to do it. Once you start the enrollment process, youll see pretty quickly if its already available for your account or not and if not, you can contact your company admin to ask about the possibility of allowing it.And with that, give yourself a pat on the back: Now that these 10 steps are behind you, your Google account security is officially in tiptop shape and you shouldnt have to devote an ounce of thought to this area again anytime soon.Just set yourself a reminder to revisit this page and review the steps within it once a year for good measure. (Ill continue to update and expand the specific instructions as needed over time.) Do the same with security smarts in other areas like your Android security settings, if youre using an Android device of any sort and then rest easy knowing your most important digital info is as secure as it can possibly be.This article was originally published in February 2020 and updated in November 2024.
0 Comments 0 Shares 18 Views