Your Gmail is probably the master key to your digital life — bank alerts, password resets, work documents, photos, and more. If someone gets in, they don’t just read your emails; they can take over everything.

Here’s the exact checklist I give friends and family (and use myself) to make a Google account almost impossible to crack.

1. Turn On 2-Step Verification (Right Now)

If you only do one thing, do this.

- Go to myaccount.google.com → Security → 2-Step Verification

- Choose your strongest options in this order:

  1. Hardware security keys (YubiKey, Google Titan, etc.) – practically unphishable

  2. Google Prompt on your phone (better than nothing)

  3. Authenticator app (Google Authenticator, Authy, or Microsoft Authenticator)

  4. SMS codes (weakest – still better than no 2FA)

Pro tip: Register TWO hardware keys (or at least one key + authenticator app) so you’re never locked out if you lose one.

2. Use a Strong, Unique Passphrase (Not a Password)

- Minimum 16–20 characters

- Example: “BlueHorseBatteryStaple2025!” or a random 4–5 word Diceware passphrase

- Never reuse it anywhere else

- Store it in a password manager (Bitwarden, 1Password, or Google’s own password manager)

Google now lets you use passkeys (fingerprint/face + PIN) for passwordless login. Set one up — it’s faster and far more secure.

3. Do the Google Security Checkup (Takes 3 Minutes)

myaccount.google.com/security-checkup

It will show you:

- Devices logged in right now

- Apps with full access to your account

- Old recovery options

Do this every 3–6 months. You’ll be shocked what you find.

4. Remove Dangerous App Permissions

- Go to myaccount.google.com/permissions

- Revoke anything you don’t recognize or no longer use

- Especially watch out for old “Sign in with Google” apps that have “access to your entire Gmail”

5. Set Up Recovery Options That Can’t Be Social-Engineered

- Add a recovery email you control (not another Gmail if possible)

- Add a recovery phone number

- Then enable “Advanced Protection Program” if you’re a high-risk target (journalists, activists, executives): google.com/advancedprotection

  (It disables SMS 2FA and third-party apps, but it’s the nuclear option against state-level attacks.)

6. Turn On Enhanced Safe Browsing in Chrome

Settings → Privacy and security → Enhanced protection  

It blocks phishing sites and malicious downloads before you even click.

7. Watch for These Red Flags (Act Immediately)

- “Critical security alert” emails from no-reply@accounts.google.com (always click the link inside the real Gmail app, never from the email itself)

- Login attempts from weird locations

- Your phone buzzing with Google Prompts you didn’t trigger

If anything looks off, immediately:

- Change password

- Sign out all other sessions (myaccount.google.com → Security → Your devices → “Sign out of all”)

- Run security checkup

8. Bonus Hardening (Takes 5 Extra Minutes)

- Enable “Offline Gmail” only when you really need it (it downloads everything to your device)

- Use an inbox rule to auto-archive or label suspicious emails

- Turn on “Confidential Mode” for sensitive emails when you need self-destructing messages

TL;DR Checklist (Copy-Paste This)

☐ 2-Step Verification ON (hardware key or authenticator)  

☐ Unique 16+ character passphrase or passkey  

☐ Recovery email + phone updated  

☐ Completed Google Security Checkup  

☐ Removed old app permissions  

☐ Enhanced Safe Browsing ON  

☐ (Optional) Advanced Protection Program if you’re high-risk

Do these eight things and your Google account will be stronger than 99.9% of accounts out there.

Stay safe out there — the bad guys are getting smarter, but so can we.

Have a tip I missed? Drop it in the comments!