As part of their security features for Gmail, Google has a security checklist of things to do and keep in mind to help protect the integrity of your Gmail account. Many of the 18 items are fairly obvious or specific to Google, but it's a useful checklist not only for your Gmail account, but for any online account.
Among the obvious things are running antivirus software and ensuring that your OS and web browser are fully up to date (that should also include plugins like Flash and Adobe reader, both of which are notorious for their security holes). The unofficial Google Operating System blog has a nice rundown of some of the Google-centric ones like viewing the sites that have authorized access to your Google account. I just wanted to highlight a couple more that can be generalized from Gmail for use when thinking about the security of any web application. Either way, it's worth going through the full list just for good measure.
- Change your passwords regularly - This should really fall under the "obvious" category, but even though everyone knows it, it's an easy one to ignore. People are often worried about viruses and security exploits that destroy their data or computer, but to some extent, the worst security problem is one that you don't know about. Changing your passwords can protect against these types of threats by locking things out even if you didn't know they were a problem, and can also avoid "latent" threats that may have grabbed your credentials a while ago but not used them yet.
- Check your browser for plug-ins, extensions, and third-party programs/tools that require access to your [Google Account] credentials - There are a lot of great utilities out there for dealing with the data that you store in web applications. Some of them might change the way a site looks or acts, or notify you about changes to your account (e.g. email notifications). While some of these tools are provided directly by the producers of the web application, many are third-party tools. It's important to keep in mind that these tools may have some malicious intent, or poor security of their own. It's always better to be skeptical about and keep track of what plugins you install. Incidentally, changing your passwords regularly can also help you keep track of what services have access to your password, as you'll often need to reenter your password for them.
- Update your account recovery options - This is another one that can be easy to put off but is a huge pain if you need it and haven't taken care of it. Almost every web application lets you provide additional ways to verify or access your account in the event that your account is compromised or you lose access for some other reason. While giving additional email addresses or phone numbers to a web site may seem like a bad idea, if you trust the site enough not to abuse that information, it can be invaluable to have a number of ways to regain a compromised or lost account.
- Use a secure connection to sign in - We'll talk more about this in a later post, but if at all possible, it is a good idea to use https:// with any account that may contain sensitive information (and most sites with such information will support https, either as an option, or by directly typing "https" instead of "http" into your address bar). All of the information that you send to a web application passes through a lot of different channels on the way, some of which may be of dubious security (e.g. a public wifi network). By using https, communication with a web application is encrypted and verified to prevent someone else from "eavesdropping" (or sniffing), or pretending to be a trusted service.
Anyway, that's a few of the check points that caught my eye while looking through, but it's definitely worth looking through the full list yourself, both for Gmail (if you use it), and for any other web applications that you rely on. Many of the things are obvious, but having them listed in one place can make it easier to ensure you're taking care of the simple stuff that can have a big impact on your online security.