Adapted from http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html :-
Before you begin, you will need to be logged in to your Google account and have your cellphone ready.
Log in to Google, eg at the URL you usually use for your Gmail. Then go to your Account Settings, by expanding the little drop-down user info panel at the top right and clicking “Account” to view your account settings. On the account settings page, click “edit” next to 2-step verification and turn it on. (Note: if you don’t see this option, your Google Apps domain administrator needs to turn it on in the Advanced settings section of the control panel.)
GMail will walk you through the next few steps. You just need a telephone that can receive SMS text messages. Enter the numeric code sent through the text message to proceed. Now log in with your password and the PIN. Note that from this point forward your password alone is no longer enough to access your email.
With 2-step authentication, accessing your email always requires the password and a code delivered via your cell phone. (You can check the “remember me for 30 days on this device” checkbox so you don’t have to do this every time – but you should only do this for devices you know others can’t get access to!) With this scheme in place, even if would-be hackers discover your super-sekrit email password, they can’t do anything useful with it! To access your email, they’d need to somehow gain control of your cell phone, too. I can’t see that happening unless you’re in some sort of hostage situation, and at that point I think email security is the least of your problems.
What If I Lose My Cell Phone?
Your cell phone isn’t the only way to get the secondary PIN you need to access your email. On the account page there are multiple ways to generate verification codes, including adding a secondary backup phone number, and downloading mobile applications that can generate verification codes without a text message (but that requires a smart phone, naturally). This also includes the never-fails-always-works option: printing out the single-use backup verification codes on a piece of paper. Go do this now. Right now! And keep those backup codes with you at all times. Put them in your wallet, purse, man-purse, or whatever it is that travels with you most often when you get out of bed.
What About Apps That Access Email?
Applications or websites that access your email, and thus necessarily store your email address and password, are also affected. They have no idea that they now need to enter a PIN, too, so they’ll all be broken. You’ll need to generate app-specific passwords for your email. To do that, visit the accounts page. Click on authorizing applications & sites, then enter a name for the application and click the Generate Password button. (Let me be clear about this, because it can be confusing: enter that specially generated password in the application, not your master email password.) This effectively creates a list of passwords specific to each application. So you can see the date each one was last used, and revoke each app’s permission to touch your email individually as necessary without ever revealing your primary email password to any application, ever. See, I told you, there is a method to the apparent madness.
Posted by Jeff Atwood
![[ad-free blog]](http://kiwi.to/images/adfreeblog.jpg)
![[Creative Commons Licence]](http://kiwi.to/images/cc2.jpg)