editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
Your email is like a skeleton key—it is effectively a single key that can be used from anywhere to sign in to various services. Once an attacker obtains your email password, their job gets a lot easier. In this chapter we’ll cover how to set strong passwords all around, but particularly with your email.
Most of us probably set up our password to our email years ago, before hacks were a common everyday occurrence. When I was 12 years old creating my first Yahoo account, I wasn’t thinking about long passphrases or special characters—and as it was inspired by Hanson, it was certainly not secure. Nowadays, most of us can barely recall all the online accounts we have signed up for using our email address—especially with the rise of social media and Software-as-a-Service. There has also been a rise in reported data breaches, where the companies that provide these online services have lost copies of their password databases.
danger If you reuse your email password across your other online accounts, there is a higher chance this password is leaked. Once you lose access to your email, your other online accounts are one password reset email away from being lost too.
Fortunately, there are tools today to protect our email that were not necessarily available back when we set up our first account.
As a business owner, you will have more than a few critical passwords—and even with the best memory in the world, you will struggle to maintain them. That’s where password managers come in.
A password manager is a tool that provides one central place to safely store and manage your passwords so they can all be unique and strong—that is, long and complex enough they are very difficult or impossible for attackers to guess.
confusion “But wait, how is storing all your passwords in one place safe?” I hear you say. Yes, it does seem counterintuitive to do this, but it is safer. Consider the alternatives, like a password-generating formula you thought up (like service name + year + a $ or & or number), or maybe reusing the same group of two to three passwords you use across all your systems. These methods have proven to be unsafe, and you need a new method that works for how you operate and the important accounts you need to protect. Considering the context of how attacks against accounts can be automated and performed, this is your best defense against these attacks.
important It is important to pick the right password manager and set it up right because that one tool will hold your whole digital world in one database, including the password to your email.
Password managers can operate a few different ways:
Cloud-based managers. Managers such as 1Password or Bitwarden store passwords in the cloud, so you can use them from any device.
Browser-based password storage systems. Like those provided by Chrome or Firefox, these systems are conveniently integrated within your browser, and may also store the passwords in the cloud so they are synced between devices.
Self-hosted password managers. These managers store passwords on your own devices, which involves syncing your devices yourself. Bitwarden also provides this capability.
Each of these have their pros and cons. Whichever one you pick, it should be the one you are most comfortable using and that works for you (not just the one that your security expert pals say you have to use). The tools I use as a security professional will differ from what I expect a business owner to use, and will differ again to what I get my parents to use. Brand names I mention here may come and go, but I’ll list the features you need so you can make your own decisions based on what’s available.
As an individual or a business owner, let’s assume that you need to be able to:
access passwords on the go (mobile) and while working remotely
set and update passwords seamlessly
With that in mind, you’ll want a password manager that has the following security features:
locked by default when starting up
require a master password or other form of authentication (like your device password) to unlock it
lock again after a reasonable period of time
the ability to set up two-factor authentication for unlocking your manager, and also for the accounts stored inside (more on this topic in Protecting Your Email Account
up-to-date encryption to keep the contents safe
The science of encryption is complex but when looking for features in password managers, it can be boiled down to two things to look for: an encryption algorithm that experts say is strong, and salted hashes.
At the time of writing, an accepted standard for encryption is the 256-bit Advanced Encryption Standard (AES-256); however this can change. It doesn’t hurt to do a quick internet search for “what is the current strongest encryption to use,” and then compare that with what your tool of choice says they use. If you want a trusted source of information, you can check the website of your country’s computer emergency response team (CERT), such as US-CERT for the US or CERT NZ for New Zealand.
Using salted hashes, also called salting, is the process of adding a random string to passwords when they are securely stored. Salting provides an extra layer of protection and prevents passwords from being easily guessed (reversed) by attackers.
Lastly, you need to set a master password—a password used to unlock your password manager. This will either be one you set yourself, or it might rely on your computer login password if you are using a browser-based manager.
Your master password should at minimum:
be over 16 characters long
be unique and only used as your master password
not use any personal or easy-to-guess information.
confusion Don’t pick a complex, randomly generated passphrase because you will have to type this every day. A line from a book, a string of four to five random words, or a phrase that is a balance between silly and memorable are all good options. (You will also need to set up two-factor authentication to access your password manager, which we will cover in the next section.)
The context of how I work is slightly more advanced, since I have access to a lot of sensitive client data, in addition to the sensitive data for my business. I have a complex system with three password managers:
I use 1Password for all my work accounts. It is cloud-based, so I can access it from my phone, laptop, and anywhere I need to be. It also lets me set up my team so they can keep their accounts safe and we can share the passwords we need to share (like social media).
I use Bitwarden for all my personal accounts. It is also cloud-based, but a different brand tool than my work one. I have changed jobs a few times, so going through and removing old work accounts got tedious. It also allows me to spread the risk out so if one password manager was accessed (due to some very, very unlikely incident), my work passwords would be safe. There are now a few good cloud options to pick from.
I use KeePass for my high-value accounts I don’t access often, like my cryptocurrency wallets. I never have to access these on the go, so I keep this on a local password manager on a device I have stored away at home. There are of course risks in this choice too, if the device is lost or damaged, but like all security strategies, the aim is to understand and plan for those risks rather than avoid them.
Here are pro and con lists from my own password manager research:
Figure: A comparison of two popular password managers, one cloud-based and one local. There are plenty of other password managers besides these two, but this gives an example of pros and cons to consider.
While I have a complex system, you might find a simplified version of this would work for you.
Now that you have a safe place to store your new secrets, we can work on protecting your email. As mentioned before, your email acts like a skeleton key for a large part of your online identity—people you communicate with associate your email with trust, and your email is also a key factor involved in logging into other accounts and receiving password resets. With access to just your email, an attacker can unlock access to more information and accounts.
To protect your email you will have to take these steps:
Reset your password and store it in your password manager.
Set up a strong two-factor authentication.
Store your backup codes in your password manager.
Update your account recovery options to ensure they are valid and accessed only by you.
Remove third-party applications with access to your email account that you don’t need.
Let’s run through each of these areas to understand what they mean.
It doesn’t matter what clever method or hoops you might have mentally jumped through to create your current password. Let’s start with a fresh slate, and reset it so you know for a fact it is unique.
Your password manager should help by suggesting a password that is very long and as random as it can technically be. If not, aim for at least 16 characters in length. Research has shown that it is more important to have a longer password. Mathematically, long passwords offer more possible combinations, which would take too long to guess even with today’s available technology.
Once you reset your password, all your previous logged-in sessions should also expire. This gives you the added comfort of knowing from this point forward, only you have access to your most important digital key. (Although this does mean spending some time logging back into your email on your phone, laptop, and so on.)
A long, long time ago it was perfectly OK to use just a password to access your account—since the availability of tools to guess your password was limited, and those accounts also didn’t have as much value as they do today. Nowadays, you need to take a few steps to prove who you are to make it harder for people to bypass or trick their way into your account. One essential way to achieve this is to use two-factor authentication.
Definition Two-factor authentication (2FA) is a security measure that requires two modes of identification before access to a system or application is allowed. You may also see such multi-step authentication processes called multi-factor authentication (MFA) (when more than two factors are used) or two-step verification (2SV) (which is almost the same, but the steps may be on the same device).* For simplicity, we’ll just refer to all of these options as 2FA in this book.
important 2FA is especially important for your email account.
As with “strong” encryption, it can be hard to assess if 2FA is “strong” without expertise in IT security. A few options for 2FA exist, and I’ll provide a high-level overview from most to least secure:
The best 2FA method is the use of a physical security key as this requires that you physically have the key to log in. These are also called hardware security keys. The most popular provider is Yubico with their YubiKey products. These keys use cryptography to generate and share secret keys each time they are plugged in or near your device, and tapped. All the secure transfer of secrets is done by the key. Because they rely on cryptography and a physical device, this is the hardest method for attackers to bypass. These keys even work wirelessly (Bluetooth and NFC), which means they are mobile friendly too.
The next best 2FA method you can use is push notifications. Physical keys might not be your jam. Maybe you don’t want to carry a physical dongle around, but you are more attached to your phone than anything. This requires you to have a specific mobile app or mobile operating system (such as YouTube on iOS) to set it up. That way when you log into your email, you would need to accept a prompt on your phone, asking if you are trying to log in.
The next best option after a push notification is a one-time password sent via an application. This is an auto-generated code that is refreshed every 30 seconds or so. The only way to get the code is via a mobile app, password manager, or cloud-based web application (like Authy). This is a step down from push notifications because they can still be phished and an attacker can trick you into giving them this code.
There are options beyond these three. These include one-time passwords sent via SMS, and knowledge-based questions (“security questions”). However, these are significantly less secure and I do not recommend them.
danger If possible, avoid SMS-based 2FA. Weaknesses in phone providers’ systems that may permit switching SIM cards to new phones without proper verification prevent SMS from being a strong authentication method.
danger Knowledge-based questions are the weakest form of additional account security. The answer to questions like “What is the name of your high school?” are easy to find with social media, and are the weakest form of authentication out there.
Bottom line, if these are the only two methods available, that email provider is not safe for you to use.
controversy There are varying opinions from experts on which method is best and how much protection weaker 2FA methods offer. I can confidently say any 2FA is better than none. This is especially the case for when we start talking through all the other accounts you need to protect, where the two-factor options might be limited but there are no other competitors to switch to. When it comes to email though, you need to set the bar higher with a safer method of 2FA and not compromise. SMS-based two-factor might be OK for one social media platform if there are no other options and that is where your target audience hangs out, but it is not OK for your email.
You may even wish to configure more than one 2FA option for very important accounts like your email. This is sometimes known as using “tiered” backups. You can set up both physical security token and authentication apps as multi-factor authentication options and then if you don’t have access to one, you can still get access via your backup option.
confusion When considering which method to use for 2FA, also consider the fact that you don’t have to log into a fresh device very often. You likely use the same phone, laptop, and tablet for accessing your email. Unless you are using a shared device, you can stay logged into your devices and will only be prompted to log back in once every few weeks or months.
After going through the process of configuring 2FA settings, you might get to the end of the steps and see a new term used: backup codes.
Backup codes (or recovery codes) are “break glass” codes that can be used as a backup option in the event something happens with the device you use to generate the two-factor codes.
The list of apps for generating two-factor codes is long and includes Google Authenticator, Authy, Microsoft Authenticator, Duo Security, and others. When you use an app on your phone to generate those codes, it generates keys that are stored on your phone so only your phone can generate the right codes to get into your account. If you experience that horrific moment of losing or breaking your phone, those keys may be lost. All hope is not lost, however, and that is why you are given backup codes at the end of that set-up process.
important Get into a good habit of saving and protecting backup codes, just as you would your password or your 2FA device. Do not just download the file and leave it in your downloads folder, or just skip saving them altogether. Treat these backup codes like the spare key, and protect it the same way you would your normal key. Copy them into your password manager or print them out and keep them stored somewhere safe that others can’t access, like a locked file cabinet or safe.
danger Make sure your backup codes are in a safe place you can remember. If you lose 2FA via other mechanisms and have no backup codes, you could be locked out completely. If you have access to backup codes, in the event that your phone or other 2FA device is lost, damaged, or replaced, you can still find a way in.
Assuming that the steps outlined above have been followed, it is unlikely that you would lose your password at this point—your password is stored safely, and two-factor authenticated to boot.
Account recovery options for a service allow a user to have a backup email or other contact information, or answers to questions on file with the service, to recover access in the event the user forgets a password or otherwise loses access to the account.
danger Setting up account recovery options securely is important because these settings could give an attacker an alternate way to access your account—even if they don’t have your password.
Correct account recovery options are also needed in the unlikely situation that account access is lost. Think about losing your unlocked laptop that was already logged into your email. The very first thing that an attacker may do is change your password. In that heart-dropping moment, you want to be able to confidently get back in without having to remember how to get access to that old, defunct email account you set as your account recovery option.
danger Watch out for out-of-date recovery options on accounts. If you haven’t checked your account recovery options lately, you might find it is set to an old email address.
I will admit this was the case for me when I recently logged into an old account that helpfully prompted me to check my old recovery settings. I was a bit surprised to see an old work email pop up when that hasn’t been active in a very long time. Out-of-date recovery options could be an old email address that you have not protected, or an email address for a domain you no longer own. Registering for old, orphaned business domains and then seeing what mail is sent is a common way for attackers to try and harvest data and accounts. Just because you stopped paying for it, doesn’t mean other people or accounts stopped trying to send data to it.
Good account recovery options will have the requester verify the account recovery email or phone number before sending the code, and will lock you out or require a manual verification process (such as calling) if the number of failed responses is too high. This adds a layer of difficulty in case an attacker is guessing their way through prompts, or trying to skip methods to find one that is easier to bypass.
Bad account recovery options include the use of knowledge-based recovery questions. We talked about these earlier in the context of 2FA, but this situation is a bit different—this may be your only option for account recovery and thus unavoidable. In this case, your best bet is to use random (and untrue) values.
confusion These security questions are testing your identity, not the truthfulness of your responses. An attacker might know that your old high school was Coral Springs Charter, but no one but you would know that your response to that question is “correct horse battery staple.” And the best place to store those answers? Yep, you guessed it: your password manager.
We covered a lot of different options for securing your email account, so what option works best for you? You will be limited by what is actually available to configure, and you want to find a configuration that works best for you. Although using a YubiKey offers your highest level of protection, it is not for everyone and it might cause more friction. The table below is a summary of different configuration options you will come across, the rough level of effort they require, and the level of protection they provide.
| How to access your account | Level of effort to use | Level of protection | Examples |
|---|---|---|---|
| Physical security key | ◼︎◼︎◼︎ Highest | 🟢 Highest | YubiKey, Titan Security Keys |
| One-time password via app | ◼︎◼︎︎︎ Moderate | 🟠 Moderate | Google Auth, Authy, Password Manager |
| Push notifications | ◼︎◼︎︎︎ Moderate | 🟠 Moderate | Account-specific apps (Microsoft Auth, Google Prompt) |
| One-time password via text message/SMS | ◼︎◼︎︎︎ Moderate | 🔴 Low | Any message app that allows SMS/text |
| Backup codes for 2FA* | ◼︎◼︎︎︎ Moderate | 🟢 High | Auto-generated, long, random characters |
| Knowledge-based questions | ◼︎ Low | 🔴 Low | Name of your first pet, mother’s maiden name |
| Recovery via email/phone call† | ◼︎ Low | 🟢 High | Verification sent to alternative email or manual phone call |
| Recovery via knowledge-based questions (real answers)† | ◼︎ Low | 🔴 Low | Name of your first pet: Laika |
| Recovery via knowledge-based questions (fake answers)† | ◼︎◼︎︎︎ Moderate | 🟠 Moderate | Name of your first pet: c7zf-yaUS# |
*Required.
†If you have 2FA turned on, backup codes would be used for recovery first.
The last step to protecting your email is to manage and control access to your email by third-party applications.
Third-party access is when you grant permission to your email provider to share access to your information with another service.
Third-party access is coming up more and more as small web applications are popping up and relying on larger identity providers to manage access for them. One of the most common identity providers used is an email provider, such as Google or Microsoft. This is perfectly legitimate, and something we will recommend to you in later chapters when faced with creating a user login function for your system.
danger Third-party access is something to grant carefully and monitor. People can create malicious applications to siphon data from your identity provider if you aren’t checking the permissions you are granting. Attackers can also take control of older third-party systems that are no longer supported, but that might still have access to your identity provider account.
Now is a great time to log into your email provider and check which third parties have access to your account, and what data they can access. For most email providers, you can usually find these under the security section of your account settings.
Figure: Checking devices and services accessing a Google account.
If you see an unfamiliar service or account you no longer need, disable the access. If a service has more data access than you think they need, now is a great time to contact that service and ask why, try limiting the permission if you can, or disable it and try to find a different service to use. For example, it would be perfectly normal for Zoom to have access to your calendar if you allowed it to automatically generate a Zoom meeting ID when you send a virtual meeting invite. It would not be normal for Zoom to need full administrative access to your entire account with your email provider just to perform this function.
It doesn’t matter if you have a lot of third parties with access. It matters more what those services are doing and if they are expected to be there. The minimal amount of access would be to your name and email address, as that would be the information needed to create an account on a third-party site and sign in; this is OK. What is more concerning is when that third party also needs access to read your email, or access your document storage. These are permissions that need to be challenged, because in the wrong hands this could be a perfect way for an attacker to bypass authentication and access your data directly.
You can challenge them quietly by revoking the access and seeing if you can still use all the functions of the third-party account. If it requires that access to work, you can get a bit louder by raising a support ticket, or asking their community why they need that access when it raises security risks. You can escalate further by calling out to your Twitter or online friends to ask for a secure alternative to the application. Sometimes challenging access does result in changes (or at least precedent), like in the case where Goldenshores Technologies, who collected geolocation data without consent via their simple flashlight app, was officially charged by the Federal Trade Commission (FTC). Find a level you are comfortable with, and push back on excessive third-party access.
Now is a great time to go back to the list of accounts you started off with. Like me, you probably don’t have just one email account. Hopefully, unlike me, you have less than five. Either way, don’t forget to protect each of your accounts using this same process.
If you no longer use an email account, you can reset the password to something long and unique, and be done with it. But first, ask yourself a few questions and check through your inbox to see if any of the following apply:
Do important contacts still use this email to contact you, whether that is family, friends, or business contacts?
Do you get mail to this email for any accounts that are on your list that you need to protect? Is this email used as the login or password reset for those accounts?
Is this the backup email used as your account recovery option for your main account?
If the answer is yes to any of these questions, you will either need to start updating other accounts to reduce the dependency on this account, or start protecting it the same way you do your main account. This can be daunting, but consider it an investment now rather than a headache later.
This is a question I hear a lot. No email provider is perfect. Using email from large providers, such as Google and Microsoft, might have privacy trade-offs as they have a history of allowing scanning of emails for advertising purposes. On the other side of the token, you might find you are locked into a specific email provider because of the technology ecosystem you have—if all your devices are Apple products, then it might be natural to gravitate towards an iCloud email account.
The best way to tell if your email provider is safe is to see if you can make it through the steps outlined earlier for protecting your account. If there are features that are not available, like 2FA, then it is a dealbreaker when it comes to security.
danger 2FA should be considered the bare minimum. If your provider doesn’t allow it, then this is a dealbreaker and it is time to set up a new email with a provider who does. There is a great community-created website called 2FA Directory that you can use to find a new email provider. This can be a huge pain to set up, but in the long run you will thank yourself. Especially with the rise of security breaches through weak security configurations, that unsafe email provider is probably one bad press release or low valuation away from selling or shutting down that headache service.
I have a few email accounts; this is the burden of an IT nerd. So when going through these steps, I have to perform them for a few different accounts. I have one main personal account, one (very old) backup account that is nearly old enough to drive, and three work accounts. Here is how I work on protecting those:
For my personal account, I use four (!) layers of authentication. I stay logged in on the main devices I use every day, so I rarely have to assemble the four keys like in some dramatic rocket launch sequence. One layer is a physical hardware security key, the second is a backup physical hardware security key, and the third is a mobile device push notification, and the final is an obnoxiously long password.
My backup personal account, which I use for account recovery for my primary account, is protected by a similar four layers. I use this for any career-related accounts or subscriptions, but nowadays it is mostly there as a backup account so my main personal email doesn’t rely on a work email for account recovery.
My work accounts all use 2FA, using either push notifications or one-time password apps on my phone.
Once a year, when doing spring cleaning or avoiding writing that report I have been putting off, I will review the third-party apps and services each of those accounts use. It is helpful that the email providers for each of those accounts will also prompt me to check every now and again.
I store my passwords and backup codes in the respective personal or work password managers.
confusion Sometimes talking about my own personal security, I feel it might put off others into thinking security is too hard or too onerous. Remember that the context of how I secure my own email is slightly different to yours. As long as you follow the five steps above to protect your email accounts, you are certainly doing enough.
🚀 As explained by Erica
On your list of things to protect, you likely have a mobile device that operates like a multi-tool. It has access to your accounts in the same way you access them on your laptop, it is connected to your multiple communication tools, it can even pay for things like a digital credit card using NFC. Aside from your mobile Swiss Army knife, you also have a laptop where you perform most, if not all, of your personal and business functions.
important Protecting these devices is critical. At a minimum, you should perform these steps: