How to Secure Your Email

Leave a Comment / Tutorial / By

Background

Previously, I talked about making my own security plan using EFF framework. Unfortunately, it failed to produce any relevant insights. Now I am back to the best practice again, but with few additions.

In this article, I am going to explain how to secure your email starting from general email management, the best practice, and a simple audit to make assess how well you have implement your measures.

The Best Practices

Before we secure our email, I will explain my best practices to secure them Password is the front line of email defense. To ensure that an email account is secure, the password must follow the following best practices :

  • 2FA : Enable for high priority emails.

  • Uniqueness : Make sure each passwords are unique; not in Data Breach or Common Password lists.

    • Consult HaveIBeenPawned to find out.

  • Form : The password must be a Diceware password 16 characters long.

  • Memorization : Memorize your email passwords. Always type your email password if you cant.

  • Confidentiality : Never share your email password to anyone, not even someone whom you trust (Unless it is a shared account). Do not log into untrusted system. If you do, do not save it.

Implementation

Tools

  • Password Manager : KeePassDX, or any equivalent. This is our main tool. It stores information about your email, the name, password, as well as additional information such as where it is signed in.

  • Office Program : LibreOffice, or any equivalent. To document your process or any other additional notes that does not fit in your password manager.

  • Data Breach Checker : HaveIBeenPawned to check if your email or password has been breached.

Describe Your Email

List the emails you want to secure. If you have many emails, choose five the most important emails to work on. Fill in the description :

  • Purpose : What do you use this email for?

  • Services : What services do you use to sign up?

  • Recovery : If you lost the email, how would you recover it?

Fill in the information in your password manager accordingly. Unfortunately, I cant show how it should look like due to security policies.

Simple Audit

Any countermeasure Is useless if you do not implement it. This is a simple way to audit your countermeasure. Use LibreOffice Calc or any spreadsheet program to measure it. Create a spreadsheet document with following cells that represents each best practices :

  • Email : The name of your email.

  • Memorization : Do you remember the password?

  • 2FA : Have you enable 2FA

  • Uniqueness : Is your password unique?

  • Volatility : Have you save the password on an untrusted system?

  • Form : Does the password fit the diceware form?

  • Confidentiality : Does anyone else know your password? Have you saved it in an untrusted system?

The finished result should look like this :

Action

I am not a security expert so do not take my recommendation seriously. These are the things I would do to secure my password if I doubt its security.

Replace your password if :

  • Your password is not unique, eg : found in data breach or you used it in another account.
  • The password does not conform to diceware standard.
  • Someone might know the password.

When to use 2FA

If you are afraid that your email is easily breached. However, keep in mind that 2FA relies on another device, thus you have to keep your device near. This will be useless or even backfire if your device was stolen.

Evaluation

This method focuses protecting your email from remote password attacks, whether brute force or dictionary. It does not address physical threat, such as hijacking; if someone possess your device. It does not dive deep into the risk of countermeasures, such as 2FA either.

I need to read more into email security, perhaps consider using passkey instead of password.

Leave a Comment

Your email address will not be published. Required fields are marked *