Recently I have noticed that a number of my friends and acquaintances have had their GMail accounts compromised. While my preferred email address is on my own server, I do have a GMail address too (actually I have a couple, but only one that is really used much) and it has not been compromised. I’ve been asked about it a little bit and I figured it best to add my thoughts here regarding best practices, along with some software recommendations.
The first and most obvious recommendation is to use a strong password, ideally with a minimum of 128 bits of entropy. The best way to achieve this is to generate a suitably strong password with KeePassX (Windows users should use KeePass). KeePassX can also be used to generate and securely store passwords for any other account or site. KeePass and KeePassX store all passwords in a database that is protected by a passphrase and 256-bit AES or Twofish encryption.
The second recommendation is to never under any circumstances use the same password for multiple accounts. Passwords for one service should not be used to link it to another service where it may be exploited by an application or plugin for the second service. This way even if one service is compromised, the potential damage is limited to that service only and won’t be able to affect other accounts on different sites.
The third recommendation is to always connect using SSL/TLS. I always recommend the Mozilla Firefox browser with the EFF’s HTTPS Everywhere plugin. The Google settings for always connecting via HTTPS and enabling either or both of IMAPS and POP3S.
The fourth recommendation is to configure a proper mail client, such as Mozilla Thunderbird, to connect with IMAP over SSL. Using a proper and robust mail client, like Thunderbird, is my preferred method of accessing email, but in the case of GMail and other primarily web based email hosting does not prevent access via the web.
The fifth recommendation is to use the Tor Browser Bundle when connecting to GMail through a public wireless point or public network (e.g. an Internet café). This software includes a modified version of Firefox that incorporates HTTPS Everywhere and will help prevent session hijacking, such as that used by the Firesheep exploit. The Tor Browser Bundle is designed to run from a USB stick and does not require any installation; simply click and run.
These fairly straight forward measures should be enough to protect any GMail account from compromise and may also be applied to other web email hosts such as Hotmail or Yahoo. Although I have not checked the extent of support for SSL/TLS connections to either of those services.
Finally, I still encourage the use of the GNU Privacy Guard for securing correspondence between parties, but that is a different matter to securing the accounts themselves.