10 steps to smarter Google account security

There are important accounts to secure, and then there are important accounts to secure. Your Google account falls into that second category, maybe even with a couple of asterisks and some neon orange highlighting added in for good measure.

I mean, really: When you stop and think about how much stuff is associated with that single sign-in — your email, your documents, your photos, your files, your search history, maybe even your contacts, text messages, and location history, if you use Android — saying it’s a “sensitive account” seems like an understatement. Whether you’re using Google for business, personal purposes, or some combination of the two, you want to do everything you possibly can to keep all of that information locked down and completely under your control.

And guess what? Having a password that you hastily set seven years ago isn’t enough. With something as priceless as your personal data, that single key is only the start of a smart security setup. And even it might be due for an upgrade.

Take 10 minutes to go through these steps, then rest easy knowing your Google account is as guarded as can be.

Part I: Reinforce your front door

Step 1: Check up on your Google account password

We’ll start with something simple but supremely important — that aforementioned Google account password. Consider the following questions:

Is your Google password based on your name, the name of your partner or child, your birthday, your street address, or anything else someone could easily figure out by Googling you?

Does your Google password revolve around a common word or easily guessable pattern?

Is your Google password short — less than eight characters, at a minimum?

Do you use your Google password (or any variation of it) to sign into any other app, website, or service?

If the answer to any of those questions is yes, first, bop yourself firmly on the nose. Then use this link to go change your password immediately — preferably to something long, complex, and not involving any easily discoverable personal info, any common words or patterns, or anything you use anywhere else.

(And note: This is also where a reliable password manager — whether the basic Google Password Manager or a more fully featured third-party option — can make all the difference in the world.)

Got it? Good. Next:

Step 2: Give your Google account a second layer of protection

No matter how strong your Google account password is, there’s always still the chance someone could crack it — but you can exponentially reduce the risk of anyone actually getting into your virtual property by enabling two-factor authentication on your account.

With two-factor authentication, you’ll be prompted for a second form of security in addition to your password — ideally something that requires a physical object that’d only ever be in your presence. In its simplest effective form, that could be a prompt or a code generated by your phone. If you want to get really fancy, it could be a button pressed on an actual key you carry (which could be a special USB- or Bluetooth-based dongle or even something built into your phone) — sometimes even called a “passkey,” which is basically just a confusing and overcomplicated way to say the same thing. There’s also an option to have codes sent to you via text message, but that method is relatively easy to hijack and thus not generally advisable to use.

Whatever path you choose, having that second layer in place will make it incredibly difficult for anyone to get into your Google account, even if they do somehow know your password.

Two-factor authentication makes it significantly more difficult for anyone to get into your Google account.
JR Raphael / IDG

If you don’t have it set up yet, go to Google’s 2-Step Verification page to get started.

Step 3: Make sure you’re prepared to prove your identity

If Google ever detects some sort of suspicious activity on your account, it might require you to verify your identity before it lets you sign in. And if you haven’t looked at your account verification settings in a while (or ever, for that matter), there’s a decent chance the necessary info might be out of date or missing altogether.

Take a minute now to open up Google’s account security site and look in the section labeled “How you sign in to Google.” There, among other things, you should see two options:

Recovery phone

Recovery email

If the value next to either option is not current and correct, click it and update it immediately.

And with that, we’re ready to move on to our next level of Google account protection.

Part II: Clamp down on connections

Step 4: Review the third-party services with access to your account

When you set up an app that interacts with Google in some way — on your phone, on your computer, or even within a Google service such as Gmail or Docs — that app gets granted a certain level of access to your Google account data.

Depending on the situation, that could mean it’s able to see some of your activity within specific Google services; it could mean it’s able to see everything in your Gmail, Google Calendar, or Google Drive; or it could mean it’s able to see everything across your entire Google account.

It’s all too easy to click through confirmation boxes without giving it careful thought — so look back now and see exactly what apps have access to what types of information. Visit Google’s third-party app access overview and look through the list of connected services. If you see anything there you no longer use or don’t recognize, click its line and then click the button to remove it.

Review your third-party app list and remove any items that no longer need access to your Google account.
JR Raphael / IDG

Allowing apps you know and trust to access your account is perfectly fine, but you want to be sure to revisit the list regularly and keep it as current and concise as possible.

Step 5: Review the devices with access to your account

In addition to apps, you’ve almost certainly signed into your Google account on a variety of physical devices over the past several months (and beyond). And often, once you’ve signed in at the system level, a device remains connected to your account and able to access it — no matter how long it’s been since you’ve actually used the thing.

You can close that loop and take back control by going to Google’s device activity page. If you see any device there that you no longer use or don’t recognize, click the three-dot menu icon within its box and sign it out of your account right then and there.

Step 6: Look over app permissions on your phone

Another important app-related consideration: If you’re using Android, some system-level permissions — such as those connected to your contacts and calendar — can effectively control access to areas of your Google account data, since services such as Google Contacts and Google Calendar sync that data between your phone and the cloud.

Head into the Security & Privacy section of your phone’s system settings and look for the line labeled “Permission manager.” (Depending on your device, you might have to tap a line labeled “Privacy controls” before you see it.) If you can’t find it, try searching your system settings for the phrase permission manager instead.

Once you get there, you can look through each type of permission and see which apps are authorized to access it — and, with a couple more taps, revoke the permission from any apps where that level of access doesn’t seem necessary.

Android makes it easy to review and adjust an app’s permission, if you know where to look.
JR Raphael / IDG

Step 7: Look over extension permissions in your browser

On the desktop, extensions added into Chrome or any other browser have the potential to expand your browser’s capabilities — but they also have the potential to put your privacy at risk.

Extensions could require access to anything from your complete browsing history to your system clipboard. They can often read and change data on sites you’re actively viewing, too — either any and all sites or only specific pertinent URLs, depending on the specific permissions requested.

None of this is necessarily bad, so long as the extension in question is reputable and requesting only the permissions it genuinely requires for the function it provides. But sometimes, even the most well-intending developers can get lazy and go with a broader permission than what their software actually needs. And in such an instance, an extension that does something as simple as enhancing the Gmail interface or allowing you to save articles for later could have access to everything you do in your browser — and the sort of broad data that’s typically kept under lock and key inside your Google account could be shared with external entities for no good reason.

So let’s do a quick little assessment, shall we? If you’re using Chrome, type chrome:extensions into your browser’s address bar. If you’re using another browser, look in its main menu to find the equivalent option for managing extensions or add-ons, as they’re sometimes also called.

Once you’re looking a list of all your installed extensions, click the “Details” or “Options” button for every extension on the page. Peek at the “Permissions” section within each one and then take a close look at the “Site access” section, in particular. Think carefully about the level of access that’s granted there and whether it’s genuinely needed — or whether it’d make sense to bring it down a notch and make it more limited in nature.

With Chrome and other Chrome-based browsers — like Microsoft Edge and Vivaldi — if the extension seems like it really only needs access to a specific site or domain and it’s requesting access to your activity on all sites, click the dropdown menu in that area and change its setting from “On all sites” to “On specific sites” (which lets you provide a specific, limited list of URLs on which the extension will have full visibility).

Chrome and other Chrome-based browsers make it easy to view and adjust the permissions for any browser extension you’re using.
JR Raphael / IDG

Just remember that many extensions do legitimately need certain levels of access in order to operate — so make these changes cautiously and only after carefully thinking through the potential implications. Worst-case scenario, though, if you bring an extension’s access down and then find it’s no longer working as expected, you can always come back to this same area of your browser’s settings later and change it back.

Firefox, incidentally, doesn’t allow this level of granular permission-granting — so if you find an extension there is accessing more than you’re comfortable with, your only real option is to uninstall it entirely.

Speaking of which…

Step 8: Get rid of any mobile apps and browser extensions you don’t need

While you’re thinking about third-party add-ons for your computer and phone, take a moment to review everything you have installed on both fronts and consider how many of those programs you actually still use. The fewer cracked windows you allow on your Google account, the better — and if you aren’t even using something, there’s no reason to keep it connected.

And with that, we’re ready for our final two parts of account-protecting possibilities.

Part III: Plan for the worst

Step 9: Set up or confirm your virtual Google will

Thinking about worst-case scenarios is never particularly pleasant — I’d much rather be eating crumpets, myself — but just as it’s important to have a plan in place for your physical and financial possessions, creating a virtual will for your Google account will make matters infinitely easier for your loved ones if and when you ever develop a mild case of death.

For company-managed Google Workspace accounts, someone at your organization would be able to take control of your account in the event that you were no longer able to access it. But with an individual Google account, no such system for passing along access exists.

Google has a simple system in place to manage this: Open up the Inactive Account Manager, and you’ll find tools for determining exactly what should happen if your account ever becomes inactive for a certain period of time. You can specify the number of months that must go by without any sign of your presence, along with the email addresses and phone numbers Google should use to contact you for confirmation. And then, you can give Google the email addresses of any people you want to be notified once it’s clear that you’re no longer available.

From there, you can specify exactly what types of information your chosen contacts will be able to access. You’ll even be able to leave a message for those people, if you want, and optionally create a broad autoreply that’ll be sent to anyone who emails you once your inactive period has begun (creepy!).

Google’s Inactive Account Manager is like a virtual estate planning tool for all of your account-associated data.
JR Raphael / IDG

Even if you’ve gone through this process before, it’s worth going back in and revisiting your preferences occasionally to confirm the info is all still complete and accurate — not only in the specific contacts you have set to be notified but also in what specific areas of your account those people will be able to access, if this situation ever actually arises.

For that latter piece of the puzzle, be sure to click the pencil-shaped icon next to the email address of each person you have listed. After you confirm their address, that’ll show you a list of account-related areas — everything from Contacts and Calendar to Google Chat, Google Photos, and even your location history (if you’re using a device that contributes to such a collection).

Virtually every time I’ve ever looked at that, I’ve found a handful of newer account-related areas weren’t selected to be shared — presumably because they didn’t exist when I had last reviewed the options. I had to manually check them all to be sure they’d be included in any post-consciousness account sharing.

Part IV: Turn your protection up to the max

Step 10: Think about Google’s Advanced Protection Program

Last but not least is a step that won’t be right for everyone but could be hugely consequential for certain types of Google users. For anyone at a higher risk of a targeted attack, Google offers an elevated form of account security called the Advanced Protection Program.

The program is described as being appropriate for business leaders, IT admins, activists, journalists, and anyone else who’s in the public eye and likely to be sought out by someone looking to do damage. It puts a series of heavy-duty restrictions on your Google account to make it especially difficult for anyone else to gain access — but as a result, it also makes things a bit more difficult for you.

The core part of the Advanced Protection Program is a requirement to have a physical security key the first time you sign into your account on any new device. That means in addition to your password, you’ll need that specific form of two-factor authentication — either an approved key built into your phone or a standalone dongle — in order to access your email, documents, or any other area of your Google account.

As part of the added security, you also won’t be able to connect most third-party apps to your Google account — including those that require access to your Gmail or Google Drive in order to operate. That could create some challenges (such as signing into an Android TV device, curiously enough) and require some compromises (such as no longer being able to use most third-party email clients with Gmail). And if you ever can’t get into your account for any reason, you’ll have to go through an extra-involved, multiday recovery process in order to restore access. You can read more about what the Advanced Protection Program is like to live with in this thoughtful overview.

Ultimately, only you can decide if the added inconveniences are worth the extra assurance. If you want the utmost in security for your Google account, though — and particularly if you’re someone who’s at a higher-than-average risk of being targeted — it’s something well worth considering.

If you do want to make the leap and add this extra layer of intense security onto your Google account, head over to Google’s Advanced Protection Program website to get started. With a personal account, you’ll be able to get yourself up and running in a matter of minutes. With an account that’s part of a paid company Workspace plan, your plan administrator will have to enable Advanced Protection for the organization before you’re able to do it. Once you start the enrollment process, you’ll see pretty quickly if it’s already available for your account or not — and if not, you can contact your company admin to ask about the possibility of allowing it.

And with that, give yourself a pat on the back: Now that these 10 steps are behind you, your Google account security is officially in tiptop shape — and you shouldn’t have to devote an ounce of thought to this area again anytime soon.

Just set yourself a reminder to revisit this page and review the steps within it once a year for good measure. (I’ll continue to update and expand the specific instructions as needed over time.) Do the same with security smarts in other areas — like your Android security settings, if you’re using an Android device of any sort — and then rest easy knowing your most important digital info is as secure as it can possibly be.

This article was originally published in February 2020 and updated in November 2024.