Email accounts, like almost any other personal service on the Internet, are secured by passwords. All the care that you and your provider may adopt to protect your communications is useless if you don’t secure your password, and so here is some useful advice.
Pick a secure password. A secure password is at least eight character long, possibly more, and contains at least one non-alphabetic sign, such a number or a punctuation sign (the more the better); also, having at least one capital letter is advisable. Try to come up with something that is still easy to remember, but is not a simple dictionary word; one common trick that will help is to replace several letters with signs and numbers that look similar, such as “0” (zero) in place of the letter “o”, or “!” (exclamation mark) for “l”. Adding a punctuation sign at the end will also increase security. Also, avoid using words that could be easily associated to you by your acquaintances or by your social media contacts, such as your name, your city, your birth place or date, your company, your favourite sports team, and so on.
Do not reuse your email password. Most people recycle passwords among many different websites – this is not very secure, but it is acceptable if you’re just talking about random forums or free online services. However, securing your email account is much more important, because anyone being able to exchange emails from your legitimate account will likely be successful in impersonating you in very serious situations. So, you should really make an effort to use a unique password for your email account.
Keep your password secure. You should not write your password on paper, nor into an insecure file on your computer; if you want to store your password somewhere, you should do so in a secure manner. The most secure way is to keep it physically locked, far from any computer, but an acceptable and handier way is to use a secure password manager application. Also, browsers will store and fill up your username and password for most websites after you enter them for the first time, but if you choose to use this possibility, be aware that anyone getting their hands on your computer will possibly be able to log into your account; also, some browsers (e.g. Firefox) allow to show all stored passwords in clear, unless you set a “master password” to prevent this, so you should definitely do so (see instructions here). And of course you should never enter your password on any other website, send it by email/chat/text message or tell it to anyone – if you really have to do so (but only with very trusted people!), then change it afterwards as soon as you can.
Do not reply to password requests by strangers. Sometimes, attackers will send you an email (or even make you a call) pretending to be from your service provider, and asking you to provide your password for whatever reason, or to enter it in some website. No service providers will ask you for your password – if they need to do something with your account, they will be able to do without, and if your password were really necessary, they would rather ask you to reset it using the password change or lost password form. Never give your password to anyone, especially strangers.
Change your password regularly. Your service provider may require you to change your password at regular intervals, but even if it does not, changing your password once per year is recommended. If you like, you may use variations over a base password to memorize it more easily, though this can be confusing for some people. In any case, it is better not to reuse a previous password, even after some time.
Use two-factor authentication. Some providers will offer you two-factor authentication – a login method that requires you to prove your identity with a second device after entering your password on your computer; for example, you may be required to enter a code displayed by an app on your phone. While this may be annoying, it also increases your security enormously, since an attacker would now need to get hold of your password and your mobile phone; so you should consider using this method. In any case, supplying to your provider your mobile phone number or an alternate e-mail address will also help to recover your account whenever necessary.
Use a secure client connection. If you use an email application on your computer, or an app on your mobile phone, please ensure that you are using an encrypted connection to talk with your provider’s mail (IMAP/SMTP) servers. Your provider will give you specific instructions on how to configure email applications, which will also depend on the specific software that you are using, but all applications have an “account configuration” section where you enter the server’s name (e.g. mail.yourprovider.com). In that screen or nearby, there will be an option to determine the connection’s security level; depending on your provider’s configuration, you should either select “STARTTLS“ or “SSL”/“TLS“, but never use a configuration with no encryption whatsoever. If no encryption is selected, your password (possibly) and your email (certainly) will be transmitted in clear over the network and will be subject to interception.
Use a secure webmail connection. If you use a webmail interface to access your email account, please ensure that it happens over an encrypted (HTTPS) connection; modern browsers will show you a lock or other similar symbol in the address bar, and possibly also the company name of your provider. If this does not happen, beware! Your password will be transmitted in clear and will be subject to interception.
Check that you are on the legitimate website. If you use a webmail interface, you may be subject to phishing – malicious people will make you believe that you are on your normal email page, but will actually lure you onto their website and steal your password after you enter it. Always look for signs of weirdness – a different appearance of the pages, frequent typos, and more importantly a different URL in the address bar. If you use the browser to autocomplete your login form, you should also be suspicious if the autocomplete does not happen automatically. If you see something strange, do not enter your password and rather contact your email provider to check whether anything wrong is happening; your provider may change your web interface every now and then, but will normally tell you in advance.
