Y0ur P@ssw0rd S*cks is a bi-weekly column that answers the most pressing internet security questions web_crawlr readers have to make sure they can navigate the ‘net safely. If you want to get this column a day before we publish it, subscribe to web_crawlr, where you’ll get the daily scoop of internet culture delivered straight to your inbox.
Today, web_crawlr reader Lisa R. asks: “Is there a safe email app?”
How do we define safety? Protection from hackers? Keeping prying eyes away from our inboxes? Avoiding potential government surveillance?
As I often say in these columns, there isn’t a one-size-fits-all answer when it comes to safety. The safety you need is dependent on what you’re trying to keep safe and who you’re trying to keep it safe from.
That being said, there are some fundamentals that all users of email should follow.
Now, if your primary concern is security, there are a few things you should do regardless of what email provider you have. The first and most important step you can take is to set a strong and unique password for your email.
I get it, it’s hard to remember so many passwords, so people often reuse the same password on multiple sites. The only problem is that if just one of those sites is compromised, a hacker could then use those login credentials to gain access to your accounts for banking, social media, or wherever else you’ve reused that password.
As noted in a previous column, password managers are an incredible tool for generating and storing strong and unique passwords. Luckily, most phones and browsers now offer some form of password management. Take advantage of these. It makes logging in easier and is safer than reusing passwords.
The second thing that you absolutely should do is enable two-factor authentication (2FA) for your email. After you enter your password, you will be asked to provide a randomly generated code to further confirm that the account you’re accessing is actually yours. 2FA can be sent over text, through an authenticator app, or with a physical USB-style device known as a token.
The safest option is to use a token, although it may be impractical for many to carry around a physical device. Authentication apps, which provide randomly generated codes, are the next best option. 2FA over text is good too, although hackers have been able to find ways around this method. Either way, any 2FA is better than no 2FA. So definitely use it!
Now that you have a strong and unique password and 2FA set up, which email provider or app should you use? I will quickly discuss two popular options.
In terms of security, Google’s Gmail does incredibly well. Not only does Google employ some of the best minds to continually keep their service safe, but the company also offers anyone interested access to its Advanced Protection Program.
Originally aimed at journalists and human rights workers, the Advanced Protection Program required users to have two 2FA tokens and makes it much harder for someone to reset your password or access your account.
The major downside to any Google product, of course, is the amount of information the company gathers about its users. While Google may not be reading your emails, the data giant collects reams of metadata such as your location and the unique ID that advertisers use to track you online. And if you’re a human rights worker, for example, concerned about law enforcement, Gmail could hand over if your data is prompted.
If the aforementioned issues are of concern to you, you could choose another option such as ProtonMail. Based in Switzerland, ProtonMail also offers strong security as well as privacy protections. Your entire mailbox is encrypted, meaning not even ProtonMail can read your emails. ProtonMail works best though when you are emailing another ProtonMail user. In that case, the emails will be end-to-end encrypted, ensuring no one in between can snoop in on your message.
Both Gmail and ProtonMail offer easy to use apps for Android and iPhone. Both have their pros and cons. At the end of the day, it also doesn’t hurt to have multiple email addresses for different purposes. There are even services, such as those offered by Apple, that will let you use randomly generated emails on websites where all messages will be forwarded to your primary email address. This way, you won’t have to give out your actual email address to every website you use.
The internet is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here to get the best (and worst) of the internet straight into your inbox.