While hacking into Google might be difficult, hacking into your particular Google account probably isn't. Most people use simple, easy-to-remember passwords -- often the same one on dozens of sites -- which means a hacker with some basic information about you could easily crack your account.
If you use a single English-language word as a password, a hacker who knows just your e-mail address can crack your account in a few seconds by using common cracking tools that simply try every word in the dictionary.
And on Google, your password accesses everything, from your medical records on Google Health to your credit card numbers on Google Checkout.
Use a password management program like KeePass or RoboForm to generate and remember strong passwords (such as W2J@Y*YHzqrkd) that are almost impossible to guess. And change your password regularly -- once a month or more.
Use multifactor authentication. Using just a password to log into a service gives you only one point of failure: If someone gets your password, you're vulnerable. Multifactor authentication requires you to verify your identity in two or more ways.
"Multifactor authentication is based on using at least two of three things: something you know, something you have and something you are," says TriCipher's Sonecha. A password (something you know) is one factor. Services such as TriCipher's MyOneLogin and MultiFactor Corp.'s SecureAuth limit access by requiring additional verification, such as a VeriSign security token or a file on your computer (something you have) or a fingerprint (something you are).
MyOneLogin offers its secure authorization free for users of Google Apps or, for $3 a month, you can sign up for a service that covers not just your Google account but all of your online activity. You can add Web sites or Web applications from MyOneLogin's vast library, or easily set up applications MyOneLogin doesn't cover yet. (Click "Free Trial" on the home page to get started.)
Risk 5: Hackers cracking your log-in
Even if you have a difficult-to-guess password, a hacker can still gain access to your Google account by getting you to log in through a fraudulent link, or by getting malware onto your computer that installs keylogging software or modifies your hosts file. If your computer has been compromised in that way, you may think you're logging into Google but you're really giving your information to a hacker. Google speculates that this is how the Gmail accounts of several human rights advocates were breached recently.
(Tip: Always pay attention to the URL in your browser before entering sensitive information if you clicked on a link from an e-mail or a third-party page -- if the domain name is wonky or doesn't match where you're supposed to be, it's a clear indicator that someone's trying to dupe you.)
If you're still using Internet Explorer 6, upgrade immediately. According to security firm Secunia, IE6 has 24 unpatched vulnerabilities -- far more than any other browser commonly in use today. It was an IE6 flaw (that has since been patched) that enabled the December 2009 breach of Google's network. Google plans to drop support for IE6 for many of its services this year.
Beyond that, practice good Internet security behavior: Run anti-malware software on your system (yes, even on Macs); don't click on links in e-mails, even from people you trust (or if you do, pay attention to the URL, as outlined above); don't open attachments you aren't expecting; stay away from shady Web sites (porn, illegal file-transfer or warez sites); and never click on pop-ups, not even to close them (instead, use the keystroke commands Alt-F4 on Windows machines or Command-W on Macs).
"Sandbox" your browser. Use virtualization software like VMware Player or Parallels Desktop to create a self-contained operating system so that viruses and other malware cannot access your hard drive directly -- and when you're done, trash the session and start a new one from the original disk image. A browser sandbox such as Sandboxie also offers some protection by isolating your browser from the rest of the system.
As Steve Gibson, longtime security researcher and founder of Gibson Research Corp., points out in a Security Now! netcast, neither virtual machines nor browser sandboxes provide complete protection from keyloggers and other malware. But used properly alongside other standard security applications (firewalls and antivirus and anti-malware apps), they can help prevent malware from installing anything on your system.
Finally, take a good, hard look at what you're giving Google and what you're getting in return. "You can no longer be passive about protecting your digital footprint," explains CSIdentity's Morrow. "You need to think of it as if your enemy is in the room, overseeing everything you do. That kind of 'filtering' will lessen not only where you go but what information you're willing to leave behind."
Google may not be your enemy -- now. But a change in management at Google or an acquisition by another company (hey, it could happen) could change that. Even a legal suit could spell trouble if Google gets a subpoena. And individuals within Google's wall of defenses -- a rogue employee, someone with a personal vendetta, or a hacker -- may actually be your enemy. And naturally, the higher your public profile, the more of a target you become.
Friend or foe, Google will have your information in its servers for a long time; a little paranoia won't kill you, and it just might save you if Google ever turns back on its "Don't Be Evil" mantra.
Logan Kugler is a frequent Computerworld contributor. His most recent article was "10 must-have Firefox extensions for business."
This story, "The smart paranoid's guide to using Google" was originally published by Computerworld.