It doesn’t matter whether you’re an executive guarding proprietary secrets or an ordinary user relying on Gmail to keep in touch with friends and family members; you should be thinking about the security of your Gmail account. Luckily, optimizing Gmail security is relatively straightforward.
“Security” in the online world can mean a number of things, but in general, it refers to the ease or difficulty of getting information from your online account. In the context of Gmail, weak security standards could mean someone reading your personal emails, gaining control of your account to use it maliciously, infecting your computer with malware within your account, or even accessing your Gmail login information so they can try it for more high-value accounts on the internet.
Fortunately, there are some simple steps—and a few complicated ones—that can greatly enhance your Gmail security.
Table of Contents
- How Secure Is Gmail?
- How to Improve Your Gmail Security
- 1. Keep your device free from malware.
- 2. Run a Security Checkup.
- 3. Choose a strong password.
- 4. Change your password regularly.
- 5. Never give your password away.
- 6. Enable 2-factor authentication.
- 7. Update your account recovery options.
- 8. Take action on suspicious activity notifications.
- 9. Pay attention to your last account activity.
- 10. Update your browser and operating system regularly.
- 11. Reduce the number of devices where you use your account.
- 12. Reduce third-party access to your Gmail Account.
- 13. Take extra precautions when using a public computer.
- 14. Use SMS passcodes for sensitive emails.
- 15. Set sensitive emails to expire.
- 16. Rely on Smart Lock.
- 17. Enroll in Advanced Protection.
- The Question of Add-Ons for Gmail Security
How Secure Is Gmail?
Let’s start by talking about how “secure” Gmail is, inherently. All your emails are stored in one of Google’s data centers, and while Google doesn’t disclose exactly what security measures it has in place, you can bet this storage is pretty airtight. There’s always the possibility of some kind of breach, in which case a hacker may gain access to thousands, or even millions of accounts’ worth of email, but this isn’t something you can control, and therefore isn’t what you should spend your time worrying about.
Instead, it’s more likely that your email security will be compromised on the user side of things; all it takes is one misplaced password, or a single instance of forgetting to log out of a public computer to compromise your account’s integrity.
How to Improve Your Gmail Security
Thankfully, Google offers dozens of features that you can use to improve your account’s security—plus, there are plenty of habits you can make to prevent yourself from being the victim of an attack.
Use these tips to keep your account safer:
1. Keep your device free from malware.
If your device is infected with malware, there isn’t much hope for your account. Though different types of malware exist, most varieties have the potential to compromise your login information. The most egregious offenders tend to be spyware, designed to track your activities; if you log into Gmail with spyware on your computer, a remote hacker could easily discern your login credentials and take over your account. Your first order of business is therefore keeping your computer free from malware. There are many ways to do this, including installing an antivirus program, utilizing a firewall, and avoiding questionable sources on the internet.
2. Run a Security Checkup.
Google is incentivized to keep your account secure, so it offers a free Security Checkup, which you can find here. This won’t help you keep your account secure on an ongoing basis, but will alert you if there are any detected instances of questionable activity on your account. If there are no issues found, it will also let you know. Here, you’ll see how many devices are currently signed in with your account, if there were any recent “security events,” how many sign-in and recovery methods you have (which I’ll cover later), and how much third-party access you’re currently granting.
3. Choose a strong password.
This is internet security 101: choose a strong password. Even if you think you know what constitutes a strong password, this is a good time to review your knowledge. Strong passwords include a mix of different types of characters, including upper-case letters, lower-case letters, numbers, and special symbols, but this alone isn’t enough to qualify as “strong.” You also have to have combinations of those characters that are hard to guess (i.e., not your birthday followed by “!”), and the more characters you have in your password, the better. Each new character makes your password harder to guess by an order of magnitude. You can read up on best practices here if you need a refresher, but you should know the standards—use lots of characters, including upper-case letters, lower-case letters, numbers, and symbols, and try not to include any patterns or easy-to-guess configurations (like your birthday, or the dreaded 1234 sequence).
4. Change your password regularly.
It’s not enough to choose a strong password and use it across all your accounts. To start, make sure you have a different password for each of your accounts; Gmail should have a password all its own. You should also plan to update your Gmail password periodically; annually is a good start for the average user, or every 3 months for a professional concerned about security.
5. Never give your password away.
Nobody from Google will ever ask you for your password. Ever. And nobody else should be asking for your Gmail password, either. If you get an email asking you for your password, for any reason, ignore it—even if it looks like it’s coming from Google directly. This is called a phishing scheme, and is a common tactic by hackers looking for a quick way to gain access to your account.
6. Enable 2-factor authentication.
Google offers users the option of enabling 2-factor verification, a way to make it harder to forge your credentials to gain access to your account. You can get started here. The first “factor” is your password, and the second factor is some other piece of information, which is required before you’re granted access to your account. In some cases, it’s a verification code sent to your phone. In others, it’s a USB security key. It’s totally your choice. It will take you a few extra seconds to log in, but will practically ensure that no one can access your account without your permission. If you decide to disable it, see our guide on how to turn off 2 step verification in Gmail.
7. Update your account recovery options.
In case your account is ever compromised in the future, you’ll need a solid backup plan that will allow you to recover it. Google allows a few different options to make this happen. Set up a backup phone number (usually your main number), or a secondary email account to be associated with your Gmail account; if your access is ever compromised, you can use these secondary contact methods to prove your identity and get your account back. It’s helpful to set up multiple backups, in case more than one account is compromised in a single attack.
In the Accounts and Import section of the Settings menu, you can “Change password recovery options” to update your backup information. Here, you’ll give Google a backup email address and phone number where they can send you information if you forget key login details. Keep this information up-to-date; you never know when you’ll need it.
8. Take action on suspicious activity notifications.
If Google detects an instance of “suspicious activity,” it will notify you on one of your secondary accounts, sending you an email or a text message alert, depending on your preferences. “Suspicious activity” could mean a sign-in on a new device, changing your password, or sending many emails in an unfamiliar pattern. If you notice one of these alerts for an action you didn’t initiate, take it seriously. Start the account recovery process and immediately change your password; there’s a chance this is a false alarm, but it’s not worth the risk.
9. Pay attention to your last account activity.
In the bottom-right of your desktop window, you’ll see a short snippet that reveals the last time your account was accessed. It’s a good habit to check this every time you log in, so you can notice if there’s any suspicious activity on your account. You can also click “details” to get a more detailed view of how and when your account was used—and on which devices.
10. Update your browser and operating system regularly.
Almost every tech product has at least some vulnerabilities, but developers are working round the clock to find them, acknowledge them, and patch them. That’s why you get periodic updates that there’s a new version of your browser, or your operating system, ready to install. Take these notifications seriously, and update your devices and software as soon as you can; think of it as a way to upgrade your defenses. Otherwise, you’ll stay vulnerable to security issues that have long since been formally fixed.
11. Reduce the number of devices where you use your account.
If you’re like most professionals, you access Gmail across a number of different devices, including a work computer, home computer, smartphone, laptop, and tablet. But the more devices you use to log into your account regularly, the more vulnerable you’ll be; access to any one of these devices is enough to compromise your account. Accordingly, it’s better to keep your regular account access to one or two devices; if you need to access your account on other devices, make sure you sign out when you’re done with them.
12. Reduce third-party access to your Gmail Account.
With so many third-party apps available to help us improve our email productivity, it’s tempting to install all of them and use them regularly. But there’s a catch; most apps and extensions need to gain access to your account through an API connection. While most reputable third-party apps are secure enough that you won’t have to worry, every new connection on your account is another potential vulnerability. Any security issue with any app, or any API connection, could make your account vulnerable.
13. Take extra precautions when using a public computer.
My personal advice is to avoid accessing your Gmail account on a public device altogether. But if you must, make sure you take extra precautions. Use a private browsing tab to ensure your information isn’t stored in any way, and sign out and close the browser window when you’re done. It won’t matter how many other security precautions you take if you leave your account signed-in on a public computer.
14. Use SMS passcodes for sensitive emails.
Did you know Gmail has some built-in options to make individual emails more secure? All you have to do is click the lock/clock icon in the lower row of icons in the compose window. From there, you can access “confidential mode.” The first option here is to set a passcode requirement for the email; once enabled, you can send a password to any phone number, and require that password to view the email. It’s a handy way to make an individual email even more secure.
15. Set sensitive emails to expire.
The other option in confidential mode is an expiration, which is fairly straightforward. You can set your email to “expire” at any interval; you can choose in a day, a week, a month, or set a specific date in the future. When the email expires, it will disappear from your recipient’s inbox automatically.
16. Rely on Smart Lock.
Smart Lock refers to a suite of different services that keep your accounts and devices more secure. If you have an Android device or a Chromebook, you can keep your devices automatically locked when your device isn’t with you, based on nearby Bluetooth connections (or in some cases, facial recognition). In Google Chrome, you can use Smart Lock to better manage all your online passwords.
17. Enroll in Advanced Protection.
Reserved for people who seriously require extra protection (such as politicians, activities, and journalists), Gmail also offers a service called Advanced Protection. With Advanced Protection, you can get a USB-based security key, which allows you an even more secure form of multi-factor authentication, precluding anyone without the key from accessing your account. You can also selectively limit how and when third-party apps access your Gmail data, and use additional verification measures when pursuing account recovery.
The Question of Add-Ons for Gmail Security
There are also add-ons, extensions, and apps you can use to improve Gmail security even further. For example, SecureGmail by Streak encrypts and decrypts all emails you send and receive—before they even reach Google’s servers. Ugly Email is a browser extension that gives you a brief notification whenever an incoming email is trying to track your behavior in some way.
I wouldn’t say these third-party apps are necessary to improve your Gmail security, and if you go with an unfamiliar or non-established publisher, you may end up introducing even more vulnerabilities to your account. However, there are some practical functions worth exploring that could improve your security even further; consider digging into them only if you feel your account is at exceptionally high risk of being compromised.
Be sure to see our blog post on email security best practices for more ideas on keeping your information secure!
Now that you’ve found several ways to keep your Gmail account more secure, you can turn your attention to day-to-day matters, like improving your overall email productivity. EmailAnalytics is designed to give you far more transparency and insight into your daily email habits, using data visualization to show you exactly how and when you send and receive emails throughout the day (and dozens of other metrics). Sign up for free today to learn more!
Jayson is a long-time columnist for Forbes, Entrepreneur, BusinessInsider, Inc.com, and various other major media publications, where he has authored over 1,000 articles since 2012, covering technology, marketing, and entrepreneurship. He keynoted the 2013 MarketingProfs University, and won the “Entrepreneur Blogger of the Year” award in 2015 from the Oxford Center for Entrepreneurs. In 2010, he founded a marketing agency that appeared on the Inc. 5000 before exiting it in January of 2019, and he is now the CEO of EmailAnalytics, and co-host of the podcast The Entrepreneur Cast.