This how to article will walk you through setting up a secure Gmail (Google email) account to use in order to provide more security for your online accounts.
The first question many people ask is “why should I go through the trouble of maintaining separate email accounts, much less securing them?” Well the answer to that is one of the most common entry points into your other online accounts, and more precisely your financial accounts, is through a compromised email account. Think about how many sites let you reset your password by sending you a verification email. If you email account becomes compromised, all the other accounts you use with that email address could potentially become compromised as well.
Since this website deals mainly with cryptocurrencies, we will use an online exchange as a possible example. With your typical registration process you might use the same email account at several different places, shopping sites, perhaps some online exchanges, maybe some online forums, and possibly some other sites.
Exposing your email address to so many places allows for the possibility of it becoming known to bad actors, or in other words someone looking to exploit your email address and you. Once they have your email address they can begin attempting to break into it by guessing your password. Now if you have an fairly easy to guess password, this may be a trivial matter, but even if you have a harder password in place, there are many tools out there to make this less and less secure with each passing day.
So now let’s imagine that somehow this email account become compromised. The hacker can easily go through your emails and see where you have accounts associated with this now compromised email account. They can then attempt to log in using the various forgot username/password tools and depending upon the website’s security this may be all the information needed to compromise your other accounts. In the case of a cryptocurrency exchange, this can lead to all of you coins being withdrawn to the attackers own account.
Now that I have laid out an plausible scenario, I hope you can see why taking security seriously and setting up as many barriers as possible between a would be hacker and your accounts is a good idea. In additional to using separate (and secure) email accounts for your important online financial accounts, I also recommend you use any and all additional security these sites may offer, such as two factor authentication, email or phone notifications, IP lockouts, etc. Of course the amount of security and hassle you will want to endure will be proportional to the amounts you have in your accounts to protect, we will assume for this article the accounts are significant enough to be worth your efforts.
Now back to the main goal of the article. While I am using Google email or more commonly known as Gmail as an example, there are many other fine email providers that could also be used. In fact some sites allow you to provide a primary and backup email account, so you may very well want to use more than one service.
You can read more about Googles 2-Step Verification process at: https://www.google.com/landing/2step/
To start go the the Gmail welcome page where you can begin the process of creating your separate and secure Gmail account. Even if you already have one or more accounts with Google, they will usually let you utilize more than one account as long as it doesn’t become abusive. I am not sure what their hard and fast rules are, but it probably has to do with number, as well as how far apart the accounts are created. If you try to make 10 accounts in one day, they may limit you, but you may very well be able to acquire 10 accounts over a period of years.
Go ahead and fill out the required information, including adding a phone number. Make sure you use a “good” password that is hard to guess, and not something simple like “mypasswordisstrong”. For a good example of how to make a strong password, you can refer to Steve Gibson’s GRC Research site which has a great password generator page.
This page will generate a random password on every refresh. For maximum security use the characters from the “63 random printable ASCII characters” field. Pick at least 32 characters, and perhaps regenerate the page a few times and use snippets from each refresh to stitch together to create an even more unique and secure password. Say use 6 characters from each of 6 different page refreshes to create a 36 character password. If you want you can always change a few characters with your own too if you want, just try to keep the randomness intact, i.e. don’t substitute with all one letter or number.
As I have stated before, my personal belief is that it is better to record hard to guess passwords in a secure text file or even written down on paper, than it is to not record them and use easy to guess passwords because you can remember them easier. If you choose to do this, please store it on a secure USB drive, or for paper put it in a safe or somewhere not immediately accessible. While some may argue against this, unless you live with people who you do not trust, or in an area subject to people rifling through your stuff, this is probably more secure than relying on easy to remember password that a hacker can crack. The online threat seems to be greater than at the local level, but you should practice good security all around in any event.
Once you have created your account you should be able to sign in and administer your account settings. Click on your account icon at the upper right of your window and choose “My account”. You are at a minimum going to want to click on Sign-in and security and setup 2-Step Verification. Google’s 2-Step Verification will send a single-use code to your phone when you sign in to your account. You will need to enter this code in addition to your username and password when logging in to your account. The big benefit to this is that if somebody manages to obtain your Gmail password, they would still need the code to get into your account.
Google does offer the option of remembering the device you logged in from, so if you routinely log in from the same device, you can remember it from a period of time so you would not need your code all the time. Do this only if you have a dedicated PC or device you alone have access to.
You will probably also want to setup an recovery email address and phone number in case you would get locked out of your account. It would also be a good idea to setup notifications for any major changes, such as password change attempts, so you can keep an eye on security. There are many other options available for privacy and app access to your Gmail account, but since this is supposed to be a secure account, I would save those features for your more “everyday” account.
Well that is the basics and when you are done you should have a more secure 2-step verification email account for use for signing up to other sites.