Out of all your online accounts, there’s a good chance that Google holds most of your information. Think about it: if you use Gmail for email, Chrome for web browsing, and Android for your mobile OS, then you’re already using Google for almost everything you do.
Now that you’re thinking about how much of your stuff is stored and saved by Google, think about how secure that account is. What if someone got access to your Google account? That would include bank statements in Gmail, personal files in Drive, stored pictures in Google Photos, chat logs from Hangouts, and a lot more. Scary thought, right? Let’s talk about how to make sure your account is as secure as it can be.
When you click the “Security Checkup” option, you’ll be tossed into a multi-section form that will basically just ask you to review and confirm some information—this shouldn’t take that long, but you’ll definitely want to take your time and thoroughly review the information you find here.
The first option is very simple: confirm your recovery phone number and email address. Basically, if you get locked out of your Google account, you’ll want to make sure this stuff is correct. Also, you’ll get an email on your recovery account whenever your primary account is logged into a new location.
Once you’ve confirmed that info, go ahead and click “Done.” This will bring you into the Recent Security Events menu—if you haven’t made any security-related changes lately, then the odds are you won’t have anything here. If there is something and you haven’t made any changes, definitely take a closer look—this could be indicative of some sort of suspicious activity on your account. If something is listed here (as it is in my screenshot), you can find out what it is by clicking the down arrow next to the date and time. As you can see below, my specific event was the revoking of mail permission on my iPad. I no longer have that tablet, so there’s no need for it to have permission. Again, if everything looks good, give the “Looks good’ button a click.
The next section may or may not take a while, depending on how many devices you have connected. This is definitely something you’ll want to pay attention to, however: if you no longer have or use a specific device, there is no reason for it to have access to your account! It’s also worth noting that if you’ve used the device semi-recently, the time, date, and location will show up next to the name. To get more information about particular devices, click the down arrow at the end of the line.
New devices will also be highlighted here, along with a warning that if you don’t recognize it, someone may have access to your account.
The next section is another important one: Account Permissions. Basically, this is anything that has access to your Google Account—anything you’ve logged into with Gmail or otherwise granted permissions to with your account. The list will not only show what the app or device is, but exactly what it has access to. If you don’t remember granting something access (or just no longer use the app/device in question), then click the “remove” button to revoke its account access. If it’s an account you actually use and accidentally remove, you’ll just have to re-grant it access the next time you log in.
Lastly, you’ll go over your 2-step verification settings. If you don’t have this set up, we’ll do that down below.
If you do, however, make sure everything is up to date—double check your phone number or other authentication method and confirm that your backup code amount is correct—if you’ve never used a backup code for anything but have fewer than 10 left available, something isn’t right!
If, at any point during the checkup process, you see something amiss, don’t hesitate to hit the “Something looks wrong” button—it’s there for a reason! Once you give it a click, it will automatically suggest that you change your password. If something really is wrong, that’s something you’re going to want to do.
While the checkup process itself is very useful, you’ll also need to know how to manually access and change settings yourself. Let’s look at the most common right now.
If you’ve been on the internet for any reasonable amount of time, then you already know the spiel: use a strong password. Your child’s name or birthday, your birthday, or anything else that can be easily guessed are not examples of strong passwords—those are the kinds of passwords you use when you basically want your data to get stolen. Hard truth, I know, but that’s what it is.
We highly, highly recommend using some sort of a password generator and manager to get the strongest passwords possible—one that’s part of a password vault is even better. My personal favorite of the bunch is LastPass, which I’ve been using for a few years now. When it comes to new passwords, this is my go-to: I just let LastPass generate a new password and save it, and I never think about it again. As long as I remember my master password, then that’s the only one I’ll ever need. You should look into doing the same—not just for your Google account, but for all your accounts! We have a full guide on how to do that here.
Once you have a strong password, it’s time to set up 2-step authentication (also commonly referred to as two-factor authentication or “2FA”). Basically, this means that you need two things to get into your account: your password, and a second form of authentication—generally something that is only accessible to you. For example, you can receive a text message with a unique code, use an authentication app on your phone (like Google Authenticator or Authy), or even use Google’s new code-less authentication system, which is my personal favorite.
That way, your device is secured with something you know, and something you have. If someone gets your password, they won’t be able to access your account unless they’ve also stolen your phone.
To change your password or set up 2-step verification, you first need to head into your Google Account Settings, then select “Sign-in & security.”
From there, scroll down to the “Sign in to Google” section, which is where you’ll see a breakdown of pertinent information, like the last time you changed your password, when you set up 2-step verification, and the like.
To change your password (which is something I am apparently long overdue for), click the “Password” box. You’ll first be asked to input your current password, then be presented with a new password entry box. Easy enough.
To set up or change your 2-step verification settings, go ahead and click that link on the main “Sign-in & security” page. Again, you’ll be prompted to enter your password. If you’ve never set up 2-step verification on your Google account, you can click the “Get Started” box to, um, get started. It’ll ask you to sign in again, then send a code either via text message or phone call.
Once you get the code and enter it into the verification box, you’ll be asked if you want to enable 2-step verification. Go ahead and click “turn on.” From now on, you’ll be sent a code every time you try to log in to your Google account from a new device.
Once you have 2-step verification set up (of if you had it set up in the first place), you can control exactly what your second step is—this is where you can change to the code-less “Google Prompt” method, switch to using an authenticator app, and make sure your backup codes are current.
To set up a new second step method, just use the “Set up alternative second step” section.
Boom, you’re done: your account is now much safer. Good for you!
The rest of the security page is pretty straightforward (and also a part of the Security Checkup we talked about earlier), as it covers connected devices, apps, and notification settings. More than something you can actively do, everything in the “Device activity & notifications” and “Connected apps & sites” are something you’ll have to passively keep an eye on.
You can monitor account activity here—like devices that have recently been signed into your Google account, for example—along with currently logged-in devices. Again, if you’re no longer using a device, revoke its access! You can get more information about events and devices by clicking the respective “Review…” link.
To remove a device, simply click on the device and choose “remove.” It’ll ask you to confirm the removal, and that’s about it. Yeah, it’s that easy.
You can also control your security alerts here—this is a simple section that basically lets you set when and where you get notifications for specific events, like “Crucial security risks” and “Other account activity.”
Managing your connected apps, websites, and saved passwords is just as straightforward: click the “Manage…” link for more information, and remove anything you’re no longer using or want to save.
Check back in with these pages once in a while and clean out anything that doesn’t need access. You’ll be happier and more secure for it.
Securing your Google account isn’t hard, nor is it all that time consuming, and it’s something that everyone who has a Google account should do. Google has done an excellent job of putting everything in one place and making it incredibly easy to parse, control, and edit.