10 steps to smarter Google account security

Credit to Author: JR Raphael| Date: Wed, 26 Feb 2020 03:00:00 -0800

There are important accounts to secure, and then there are important accounts to secure. Your Google account falls into that second category, maybe even with a couple of asterisks and some neon orange highlighting added in for good measure.

I mean, really: When you stop and think about how much stuff is associated with that single sign-in — your email, your documents, your photos, your files, your search history, maybe even your contacts, text messages, and location history, if you use Android — saying it’s a “sensitive account” seems like an understatement. Whether you’re using Google for business, personal purposes, or some combination of the two, you want to do everything you possibly can to keep all of that information locked down and completely under your control.

And guess what? Having a password that you hastily set seven years ago isn’t enough. With something as priceless as your personal data, that single key is only the start of a smart security setup. And even it might be due for an upgrade.

Take 10 minutes to go through these steps, then rest easy knowing your Google account is as guarded as can be.

We’ll start with something simple but supremely important — that aforementioned Google account password. Consider the following questions:

If the answer to any of those questions is yes, first, bop yourself firmly on the nose. Then use this link to go change your password immediately — preferably to something long, complex, and not involving any easily discoverable personal info, any common words or patterns, or anything you use anywhere else.

Got it? Good. Next:

No matter how strong your Google account password is, there’s always still the chance someone could crack it — but you can exponentially reduce the risk of anyone actually getting into your virtual property by enabling two-factor authentication on your account.

With two-factor authentication, you’ll be prompted for a second form of security in addition to your password — ideally something that requires a physical object that’d only ever be in your presence. In its simplest effective form, that could be a prompt or a code generated by your phone. If you want to get really fancy, it could be a button pressed on an actual key you carry (which could be a special USB- or Bluetooth-based dongle or even something built into your phone). There’s also an option to have codes sent to you via text message, but that method is relatively easy to hijack and thus not generally advisable to use.

Whatever path you choose, having that second layer in place will make it incredibly difficult for anyone to get into your Google account, even if they do somehow know your password.

Two-factor authentication makes it significantly more difficult for anyone to get into your Google account.

If you don’t have it set up yet, go to Google’s 2-Step Verification page to get started.

If Google ever detects some sort of suspicious activity on your account, it might require you to verify your identity before it lets you sign in. And if you haven’t looked at your account verification settings in a while (or ever, for that matter), there’s a decent chance the necessary info might be out of date or missing altogether.

Take a minute now to open up Google’s account security site and look in the section labeled “Ways we can verify it’s you.” There, you should see two options:

If the value next to either option is not current and correct, click it and update it immediately.

And with that, we’re ready to move on to our next level of Google account protection.

When you set up an app that interacts with Google in some way — on your phone, on your computer, or even within a Google service such as Gmail or Docs — that app gets granted a certain level of access to your Google account data.

Depending on the situation, that could mean it’s able to see some of your activity within specific Google services; it could mean it’s able to see everything in your Gmail, Google Calendar, or Google Drive; or it could mean it’s able to see everything across your entire Google account.

It’s all too easy to click through confirmation boxes without giving it careful thought — so look back now and see exactly what apps have access to what types of information. Visit Google’s third-party app access overview and look through the list of connected services. If you see anything there you no longer use or don’t recognize, click its line and then click the button to remove it.

Review your third-party app list and remove any items that no longer need access to your Google account.

Allowing apps you know and trust to access your account is perfectly fine, but you want to be sure to revisit the list regularly and keep it as current and concise as possible.

In addition to apps, you’ve almost certainly signed into your Google account on a variety of physical devices over the past several months (and beyond). And often, once you’ve signed in at the system level, a device remains connected to your account and able to access it — no matter how long it’s been since you’ve actually used the thing.

You can close that loop and take back control by going to Google’s device activity page. If you see any device there that you no longer use or don’t recognize, click the three-dot menu icon within its box and sign it out of your account right then and there.

Another important app-related consideration: If you’re using Android, some system-level permissions — such as those connected to your contacts and calendar — can effectively control access to areas of your Google account data, since services such as Google Contacts and Google Calendar sync that data between your phone and the cloud.

Head into the Privacy section of your phone’s system settings and look for the line labeled “Permission manager” (or something along those lines; the exact phrasing and presentation may vary from one Android version and device-maker to the next). There, you can look through each type of permission and see which apps are authorized to access it — and, with a couple more taps, revoke the permission from any apps where that level of access doesn’t seem necessary.

Android makes it easy to review and adjust an app’s permission, if you know where to look.

On the desktop, extensions added into Chrome have the potential to expand your browser’s capabilities — but they also have the potential to put your privacy at risk.

Up until late 2018, y’see, Chrome desktop extensions that needed to view any part of your online activity were forced to request a blanket permission to read and change data on every website you visit. That means an extension that does something as simple as enhancing the Gmail interface or allowing you to save articles for later would invariably have access to everything you do in your browser — despite the fact that such programs actually only need access on a limited level (either to the Gmail website, in the first case, or only when you click the icon to activate the extension, in the second).

At this point, Google allows extensions to request browsing data access on a more sensible, nuanced basis — but it’s a slow-moving transition, and plenty of extensions still stick with the old all-or-nothing arrangement by default.

That means it’s up to you to seek out the setting for every extension you have installed and confirm it’s no broader than it needs to be. Otherwise, all of your browsing activity within Chrome — something that’s typically kept under lock and key inside your Google account — could be shared with external companies for no legitimate reason.

All you have to do is type chrome:extensions into your browser’s address bar and then click the Details box for every extension on the page. Anytime you see a line labeled “Site access,” think carefully about the level of access that’s granted and whether it’s genuinely needed — or whether it’d make sense to bring it down a notch.

While you’re thinking about third-party add-ons for your computer and phone, take a moment to review everything you have installed on both fronts and consider how many of those programs you actually still use. The fewer cracked windows you allow on your Google account, the better — and if you aren’t even using something, there’s no reason to keep it connected.

And with that, we’re ready for our final two parts of account-protecting possibilities.

Thinking about worst-case scenarios is never particularly pleasant — I’d much rather be eating crumpets, myself — but just as it’s important to have a plan in place for your physical and financial possessions, creating a virtual will for your Google account will make matters infinitely easier for your loved ones if and when you ever develop a mild case of death.

Google has a simple system in place to manage this: Open up the Inactive Account Manager, and you’ll find tools for determining exactly what should happen if your account ever becomes inactive for a certain period of time. You can specify the number of months that must go by without any sign of your presence, along with the email addresses and phone numbers Google should use to contact you for confirmation. And then, you can give Google the email addresses of any people you want to be notified once it’s clear that you’re no longer available.

From there, you can specify exactly what types of information your chosen contacts will be able to access. You’ll even be able to leave a message for those people, if you want, and optionally create a broad autoreply that’ll be sent to anyone who emails you once your inactive period has begun (creepy!).

Google’s Inactive Account Manager is like a virtual estate planning tool for all of your account-associated data.

Even if you’ve gone through this process before, it’s worth going back in and revisiting your preferences occasionally to confirm the info is all still complete and accurate. When I looked at mine just now, for instance — a few years after initially setting up the system — a handful of newer account-related areas were not selected to be shared, presumably because they didn’t exist when I last reviewed the options. I had to manually check them all to be sure they’d be included in any post-consciousness account sharing.

Last but not least is a step that won’t be right for everyone but could be hugely consequential for certain types of Google users. For anyone at a higher risk of a targeted attack, Google offers an elevated form of account security called the Advanced Protection Program.

The program is described as being appropriate for business leaders, IT admins, activists, journalists, and anyone else who’s in the public eye and likely to be sought out by someone looking to do damage. It puts a series of heavy-duty restrictions on your Google account to make it especially difficult for anyone else to gain access — but as a result, it also makes things a bit more difficult for you.

The core part of the Advanced Protection Program is a requirement to have a physical security key the first time you sign into your account on any new device. That means in addition to your password, you’ll need that specific form of two-factor authentication — either an approved key built into your phone or a standalone dongle — in order to access your email, documents, or any other area of your Google account.

As part of the added security, you also won’t be able to connect most third-party apps to your Google account — including those that require access to your Gmail or Google Drive in order to operate. That could create some challenges (such as signing into an Android TV device, curiously enough) and require some compromises (such as no longer being able to use most third-party email clients with Gmail). And if you ever can’t get into your account for any reason, you’ll have to go through an extra-involved, multiday recovery process in order to restore access. You can read more about what the Advanced Protection Program is like to live with in this thoughtful overview.

Ultimately, only you can decide if the added inconveniences are worth the extra assurance. If you want the utmost in security for your Google account, though — and particularly if you’re someone who’s at a higher-than-average risk of being targeted — it’s something well worth considering.

http://www.computerworld.com/category/security/index.rss