Quick Points on Gmail Security

By James Fallows

At the end of my article in the current issue (Subscribe! TM) about the devastating hack of my wife's Gmail account, I promise a detailed online how-to about password generation and other handy security tips.

That will come ... real soon now

In the meantime, let me deal with the most frequent questions that have shown up in emails, concerning one of my two must-do recommendations*: if you use Gmail, you must switch on the two-step authentication system. For the official word from Google about this feature, see this and this. Here are the main questions I keep receiving:

1) Can I use this system even if I'm out of cell phone range? Yes. The app that generates new authorization codes is clock-based, rather than depending on a signal. (At least that is how the one for my Android phone works). You can get a code from the app on your smartphone whether or not it has any coverage at all.

2) What if I lose my phone or don't have it with me? You can generate a special set of one-time-use codes, print them out, and keep them in your purse or wallet. Then you use one of those if you happen to want to log on somewhere and you don't happen to have your phone. OK, if you're mugged, someone could get those codes -- and in theory, if the muggers also know your password (before you changed it), and understood what the codes were, they could get into your Gmail account. But that would be low on my list of worries during a mugging.

3) Is this a big nuisance? It is "a" nuisance, but not a big one. The nuisance/reward tradeoff is  comparable to having to carry keys to your house, versus leaving the door unlocked. On any machine you normally use for email, you can set things up so you have to enter the authorization code once per 30 days. It's only when you're using some unfamiliar machine -- at an internet cafe, at someone's home or office -- that you have to enter a code as well as your password. It's a five-second chore each time you do it. On the other hand, it creates a virtually impassable barrier for someone in Lagos or Moscow or Tianjin who has cracked your password but without the code, still cannot get into your account.  It protects you from what my wife encountered: the loss of six years' worth of mail, documents, photos, life. Take your choice. (And there can be a small additional one-time nuisance in generating special "application specific codes" for your iPad and certain other devices and mail programs. Tough it out.)

That's it for a few days. But do it now!
____

* Oh, yes, the other must-do chore: For any account that matters -- banking, email, sensitive data of any sort -- use a password that applies to that account alone, and that you have never used anywhere else. Reasoning explained in the piece.

This article available online at:

http://www.theatlantic.com/technology/archive/2011/10/quick-points-on-gmail-security/246562/