Take precautions when using Gmail—or any other email service

G. Jitchaku asked me if Gmail was “safe.” That’s a very broad question, so I’m offering a very broad answer.

Nothing in this world is ever entirely safe, and that goes double for anything that lives in the cloud. If you use Gmail, your mail could be read by someone other than the intended recipient, or your account just might get hijacked.

That’s the case with every email service. Whether you use Gmail, Outlook, or your ISP’s email service, you need to protect yourself. I’ll concentrate on Gmail here, but the basic advice applies to any mail service.

[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]

Let’s start with privacy and security.

Email is, by its nature, an open book. Your message passes through multiple servers between your and your recipient’s computers. In all likelihood, no one will read them. But you have to assume that someone might.

Gmail helps by encrypting your mail with SSL between your computer and Google’s network. But if the recipient isn’t using Gmail, the message’s journey from Google to the recipient will not be protected. Google is building a Chrome extension to address this issue.

There are potential leaks in the email security formula too. Google has its own financial reasons for reading your mail. Every company has disgruntled and dishonest employees. And as Heartbleed proved, SSL isn’t perfect.

I discussed Gmail privacy issues in more detail last year, so let’s go on to protecting your account from hackers.

Accounts get hijacked all the time, and you need to take precautions. First, use a strong password. It should be long, complex, and impossible to guess, but easy to remember. And you shouldn’t use it for anything except your email service. If you don’t use one already, get a password manager.

Second, set up two-step verification. With this feature on, if someone logs onto your account on a PC that you haven’t personally authorized, Google will text a code to your cellphone. You—or whomever is masquerading as you—will have to enter that code to get access. If they don’t have your cellphone, they can’t access your account.

Here’s how to set up Gmail’s two-step verification:

  1. Click the Tool icon (it looks like a gear) near the upper-right corner of the window and select Settings.
    0703 settings
  2. Click the Accounts and Import tab, then the Other Google Account settings link, near the top of the page.
    0703 accounts cropped
  3. Once on the Settings page, click the Security tab. Then, in the Password box, find “2-Step Verification” and click Setup.
    0703 security
  4. Follow the resulting prompts. When you click the Send code button, wait for a text from Google.
  5. When the text arrives, enter it into the appropriate field. If you’re doing this on your own computer, leave the Trust this computer option checked.
    0703 trust

Obviously, you should uncheck that option on a public computer at a library or on campus.

That brings up another important point: When you access email on someone else’s computer, always be sure to log off when you’re done. You never know who will sit down in the chair after you leave.

Subscribe to the Security Watch Newsletter

Comments