Your email account is the recovery option for almost every other account you have. If an attacker gains access, they can reset and take over everything else. Here's how to secure it.
Password Security
- Use a unique, random password of 16+ characters — generate it with a password manager
- Never reuse passwords across services
- Change your email password if any service you've used has a data breach
Enable TOTP 2FA
The single highest-impact security improvement. Enable TOTP (not SMS — see our guide on TOTP vs SMS) on your email account immediately. Store the backup codes and Base32 secret key in your password manager.
Hardware Security Key (Most Secure)
YubiKey or similar FIDO2 keys provide phishing-resistant 2FA. Even if you're on a perfect phishing site and enter your password, the hardware key won't authenticate — it verifies the domain and refuses to sign for the wrong site.
Phishing Resistance
- Check the full URL before entering credentials — phishers use look-alike domains (g00gle.com, paypa1.com)
- Use password manager autofill — it won't fill on wrong domains
- Enable "Safe Browsing" in browser
- Be suspicious of urgency in emails — "Your account will be suspended" is a phishing pattern
Check for Existing Compromise
- Visit haveibeenpwned.com with your email to check data breach exposure
- Review your Gmail "Security" section for unfamiliar app access and recent activity
- Check forwarding rules — attackers often set up silent email forwarding
For Domain Email (Admin Security)
- Implement DMARC p=reject to prevent spoofing of your domain
- Enable admin account 2FA — admin access means access to everyone's email
- Audit OAuth app access regularly — revoke apps no longer in use
- Set up alerts for suspicious login attempts
Generate 2FA codes anywhere — ZeroPhantom free TOTP generator →