From the article: "if you use Gmail, please use Google’s new “two-step verification” system. .... This is not an airtight solution, but it can thwart nearly all of the remote attacks that affect Gmail thousands of times a day."
Yes! I have been using this for <longer than memory> and it's been fantastic. Each time I'm prompted for verification, the Google text message arrives nearly instantaneously. The verificaion code is only 6 digits long, which is just short enough to be memorized long enough to type into the box without re-looking.
1. Backup your emails with Thunderbird and put them on an external hard drive encrypted and/or encrypted on an online backup service, like Dropbox or ADrive.
3. Passwords? Use Keepass/KeepassX or LastPass. Generate new random passwords using the generate password feature. You could technically reuse passwords for accounts that aren't sensitive, but with those password managers you don't really need to, especially since they both support search. Backup them up like you did with emails (external hard drive encrypted and/or encrypted on an online backup service, like Dropbox or ADrive.)
4. Master password? Try passphrases (http://xkcd.com/936/) or (for a slightly weaker option) use the initials of the words of part of a song, phrase, or something you can remember that isn't too common. It should be at least 10 characters long. Add memorable symbols or numbers for bonus credit.
5. On Windows? No Anti-virus software? GET SOME.
6. Don't enter your passwords on public computers. In fact, I wouldn't even access any private data on a public computer.
7. Don't tell your friends/family what your passwords are. Should be obvious, but not always so.
8. For Pete's sake, DON'T WRITE YOUR PASSWORDS DOWN ON POST-IT NOTES! and don't store them in unencrypted files. Really, this is a bad idea.
Even if you follow all the above, you still need to use common sense online when it comes to security.
And the classic answer for 8, if writing it down on a post it note allows you to keep a more secure password, do it. It's not electronically accessible (barring some clever webcam hacks).
Email is a service worth paying for. It is quite possibly the primary method of official communications between you and anyone else these days, far surpassing the volume of paper correspondences you have.
So why are we using free services that offer no guarantees, no SLAs, and no support - for anything other than throwaways accounts?
I run my own server, but this is hardly necessary for the majority of the world. What you do want is a server that backs you up constantly, and can respond to precisely issues like these.
Okay. So who is offering a service that can match Google's offering? In particular, they need to offer a good (ie, at least as good as Google's) webmail client and spam filtering.
I use www.fastmail.fm (owned by Opera) and can't recommend them highly enough. For a family or small business it's great as you can have shared folders/address books, use your own domain(s), and more.
The web mail doesn't include tagging or inline conversations but otherwise it's pretty good with not too much wastage. Of course you also have IMAP/POP access if that's your flavour.
It'd be nice if there was anything out there one could install that was as good as GMail's frontend, but sadly that doesn't exist.
I don't miss it at all though - I find that 99% of my email needs are on desktop and mobile, and the native clients on just about any such platforms are more than a match for GMail.
I still have a webmail client I fall back to - nothing quite as good as GMail, but that's more for when I need to look something up on a public terminal.
On the flip side - I gain an unhijackable account. Worst case scenario they make off with all of my information, but I never lose ownership of the account. I also know my server's backup policies, so short of cracking my host wide open they can copy my data, but never destroy it.
"For reasons too complex to explain here, even some systems, like Gmail's, that don't allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks."
I don't know what he means here, but one possible way to brute force would be to iterate the username and not the password. It depends on what you're trying to do, but if you just want accounts you pick the top X number of passwords used then get a list of usernames and a healthy collection of proxies. As long as your list of usernames and proxies are long enough you should be able to brute force your way into a lot of accounts.
Distributed password guessing via a botnet with tens to hundreds of thousands of IP addresses would be one possibility. Keep the guessing below the ban threshold and you can brute force an account's password given enough time. This assumes Gmail only does IP rate limiting for login failures and doesn't impose any per-account restrictions, which could lock the legitimate account owner out in the event of an attack on their account.
1. Thinking that Google owed them a higher level of customer service for a free account. They're already offering a much better email system than almost anywhere else, for free!
2. Letting the backup email address expire.
3. Not backing up important messages. You can't leave backup to other people regardless of who they are.
4. Not using two factor security for an email account with so much important data.
5. Sending important personal data over email?? "At some point over the past six years, our correspondence would certainly have included every number or code that was important to us" WTF? E-mail, regardless of the provider, is not secure! Why would you send these things plaintext across the Internet??
6. He alludes to the fact that his wife's info may have been on the Gawker release. . . and they were just hacked now??
Granted. . . maybe we cannot expect a nontechnical consumer to know these things. So how do we get them up to par?
(edited for formatting)
Here's more information: http://www.google.com/support/accounts/bin/static.py?page=gu...
This additional protection will radically improve the security of your account against hijacking.