What's your email security best practice?

[Baofeng]

Hello there,

Everyone here has its own security method to protect their account. And so I think it would be better if you guys can share yours your tips. I will start mine,

[1] The most important of all, use a strong password, I emphasized strong, not good. It should consist of at least 10-14 characters or even longer, combinations of numbers, characters (lower and upper case) and symbols. Here is one guide [GUIDE] How to Create a Strong/Secure Password.

[2] Once you got a strong password, I make sure that at least I back it up, and make it a habit to change password every 3-6 months.

[3] Create different email for different purposes. For personal email, I used protonmail, then I create emails for my gambling activity only, and the another for my crypto related activities.

[4] 2FA -  This adds another layer of protection. So it's important to use it whenever possible.

[5] Password Manager - There's a lot of free password manager out there, so I advise others to try it as well.

[6] Use different password for all your emails. As a compliment to point 3 (as you listed above), the use of different password is also vital. This helps in situations if your emails or any online account gets compromised, the hacker can't easily have access to your other emails as they're not linked with the same password which is usually their first guess since majority of online users use similar password for all their online activities. Credit: CryptopreneurBrainboss

If you have other tips, please kindly share it and I will try to keep this thread up to date.

[Coyster]

Placing a credit freeze on your account is another bold step to protecting yourself, most especially from impersonators hanging around to steal your data and open up fraudulent credit accounts in your name or with your private information.

It's pertinent to explore almost all security measures you can lay your hands on, and freezing your credit would hide your credit file which contains where you live, how you pay your bills etc, from scammers and they will be unable to steal such Info.
It costs absolutely nothing to freeze your credit and less than an hour to unfreeze it, it's a no brainer if you ask me

Read more: https://www.google.com/amp/s/www.forbes.com/advisor/camilo-maldonado/2019/03/28/the-pros-and-cons-of-a-freezing-your-credit/%3famp#ampshare=https://www.forbes.com/advisor/camilo-maldonado/2019/03/28/the-pros-and-cons-of-a-freezing-your-credit/

[CryptopreneurBrainboss]

[6] Use different password for all your emails. As a compliment to point 3 (as you listed above), the use of different password is also vital. This helps in situations if your emails or any online account gets compromised, the hacker can't easily have access to your other emails as they're not linked with the same password which is usually their first guess since majority of online users use similar password for all their online activities.

[bitmover]

About passwords, certainly the only password you should know is your strong password of your password manager. All other passwords should be automatically generated by it.

Also, use 2FA everytime it is possible.

With that practice, you doin't need to change any password ever, imo.

[dkbit98]

Best practice is to quit using Gmail and switch over to more secure encrypted email alternatives.
As for passwords, best to use rand password generator, and backup it up.

I am still looking for password manager that works best for me... testing few of them

[OmegaStarScream]

About passwords, certainly the only password you should know is your strong password of your password manager. All other passwords should be automatically generated by it.
-snip-

This. Make sure to not use online password managers such as LastPass tho, stick to KeePass or something similar (open-source/offline).

You should also not post your email address publicly, it will just get picked by bots and you'll be a target of hacks/phishing attempts (emails).

[Get Ready]

I don't see anyone recommend logging in email by code sent via phone number. Use a feature phone ( not android phone or Iphone ) to receive code every time you log in, you never get hacked.
2FA, online password manager sometimes are not safe.

[tranthidung]

[6] Use different password for all your emails. As a compliment to point 3 (as you listed above), the use of different password is also vital. This helps in situations if your emails or any online account gets compromised, the hacker can't easily have access to your other emails as they're not linked with the same password which is usually their first guess since majority of online users use similar password for all their online activities.

Additionally, using unique passwords for different accounts, not only emails. If someone use different strong passwords for different emails. It is good practice but not enough. Moreover, it turns to be bad, if they use those email passwords for their accounts on banks, crypto exchanges, casinos, whatsoever.
In a nutshell, using unique, and strong passwords for different accounts.

[Theb]

To add I myself also wouldn't personally log-in my email credential on just any computer I see, there is really no assurance that the computer I am using has a keylogger or any kind of tracking virus you cannot simply just trust computers that you don't own. You must avoid computers that you do not own much more if you don't have any kind of second layer protection for your emails. Because hackers would instantly have full access into your email accounts without the use of it.

[target]

Do not save your password when you login into your browsers. Hope someone had already said this before me. Browsers aren't very secure as they say it is. I am however not a fan of protonmail when it comes to sending messages to a lot of people at once, I tried it once and my account got suspended. 

[mk4]

I don't see anyone recommend logging in email by code sent via phone number. Use a feature phone ( not android phone or Iphone ) to receive code every time you log in, you never get hacked.
2FA, online password manager sometimes are not safe.

As much as possible, do not use SMS verification. Use 2FA instead. A sim swap attack can be used against you. Though a bit unlikely unless you're some huge famous investor, it still isn't worth the risk.

https://thenextweb.com/hardfork/2019/05/13/sim-swap-2-4m-cryptocurrency-theft/
https://www.coindesk.com/crypto-investor-awarded-over-75-million-in-sim-swapping-hack-case

[tbct_mt2]

To add I myself also wouldn't personally log-in my email credential on just any computer I see, there is really no assurance that the computer I am using has a keylogger or any kind of tracking virus you cannot simply just trust computers that you don't own. You must avoid computers that you do not own much more if you don't have any kind of second layer protection for your emails. Because hackers would instantly have full access into your email accounts without the use of it.

LOL. Why do you or we have to log in emails on computers that are not yours or ours? Nowadays, people can bring their laptops from houses to work officies. They can surely control their emails; if they don't do stupid things on Internet. Logging emails on computers of others, I don't think I will do it anytime in my life. I even don't log in emails on my phones; only do it on non-mobile devices (laptops, computers). If our devices are not totally safe, we are not definitely sure about that, there is no reason to use and log in email accounts or other accounts on computers of colleagues, or anyone else. They likely use their computers carelessly, and don't install any antivirus softwares for their computers.

[mk4]

LOL. Why do you or we have to log in emails on computers that are not yours or ours?

Not everyone is financially capable of buying themselves a computer, sometimes even a decent low-end smartphone. Shocking right? Poverty exists, especially on 3rd world countries where poverty is a lot worse compered to poverty that you see on countries like the United States. Hence why computer cafes are a very viable business in poor countries due to the significant demographic of people that can't pay for computers and internet connection.

[harizen]

Don't login your e-mails on other machines e.g public internet cafe etc. Been doing this long time ago especially when doing travels.

That's my problem in the past. However, we all know that one of the best email provider, Google (Gmail) will not allow login to the unrecognized devices until passing the verification with the used of recognized devices. That's one the best feature I like so even for let' say your password got steal, no one can able to login it to a new device. It will also give a prompt to the user that someone is attempting to login your email.

There are really times we can't avoid logging our mails on another machine during urgent matters especially if we are away at our own machine. For these, we just have to be vigilant.

[nakamura12]

Set your other email as the recovery email of your email if you won't be able to access your email anymore. My point is to use the second email as the first email's email recovery and use third email as the recovery email for the second email and use the third email as the first rmail's recovery email. Like this one.
Email Number                                  Recovery Email (Email that will be use to recover your email)
Email #1                                            Email 2                                         
Email #2                                            Email 3
Email #3                                            Email 1

[xSkylarx]

[5] Password Manager - There's a lot of free password manager out there, so I advise others to try it as well.

Never heard of this. How does this function? What I do is store them to a word document, compressed it as a password protected file then make multiple backups to my devices. If possible I hide it like on my pc.

As long as you enabled 2fa, your email is safe even if you login to different devices. I have emails that was created 2 years ago and I've never change its password but still it wasn't hacked or someone attempt to hack it. I just don't connect my device to public wifi's as I don't feel safe.

[o_e_l_e_o]

Never heard of this. How does this function?

Password managers are generally an encrypted database of all your passwords. In addition to automating all the work involved in your set up of manually storing them to a word document, good password managers such as KeePass have a number of additional features which make them superior, such as generating truly random passwords, allowing key files to be used, keeping passwords encrypted even while KeePass is open to protect against memory dumping, protecting against key loggers and clipboard loggers, and so forth.

As long as you enabled 2fa, your email is safe even if you login to different devices.

Be careful of falling in to the trap of assuming you are immune to hacking because you use 2FA. Sure, 2FA makes things more difficult, and it is generally a good idea to use 2FA, but no system is immune to being hacked. Weak 2FA (such as SMS or email) is fairly easily hacked through social engineer or password resets. Stronger 2FA (such as Authy) still isn't immune to the user entering their code on a fake page, as has happened to users of a number of crypto exchanges in the past.

[mk4]

True, but there are 3 ways to circumstance the security/privacy problem at low cost :

...

I get your point. But unfortunately, the computer cafe owners definitely wouldn't allow you to do this. They record and charge their customers by the minute through software that's installed on the client computers for this exact purpose; and the computer would automatically lock if the user runs out of credit. Booting into the USB means that that software obviously wouldn't be able to run.

[tbct_mt2]

I knew everyone have their own lives and somewhere around the world, there are people who are unable to have their own computers, because they currently have struggled with their livelihoods. In my previous post, I implied about people who have their own computers, but they still carelessly use other devices, and put their identities, accounts, funds under high risks.

Not everyone is financially capable of buying themselves a computer, sometimes even a decent low-end smartphone. Shocking right? Poverty exists, especially on 3rd world countries where poverty is a lot worse compered to poverty that you see on countries like the United States. Hence why computer cafes are a very viable business in poor countries due to the significant demographic of people that can't pay for computers and internet connection.

I much appreciated your solutions for them. Personally, I always keep using Tor.

True, but there are 3 ways to circumstance the security/privacy problem at low cost :
1. Buy a flash-drive and install Ubuntu on-the-go on it. You also could windows as alternative.
Boot into the USB when you use someone else computer.
2. Buy a Raspberry Pi, microSD and necessary second-hand component (mouse, keyboard & screen). It should costs $60 or lower & raspberry pi uses very little electricity.
3. Use Tor when you use free Wi-Fi connection.

[mk4]

I much appreciated your solutions for them. Personally, I always keep using Tor.

Tor is going to help you with privacy, but not really in terms of account security. Even if you use Tor on a device that's not yours, you're still screwed regardless if the device has a keylogger anyway.