TOP | 2016 | Weekly Column | (Thailand) Email Safety Recommendations

Email Safety Recommendations
ThaiCERT Engineer
Mr. Artthawit Hung

Email has become important way to communicate these days because it’s fast, convenient, and has nearly no cost to the user. We use it in many different ways in our daily lives for personal and business purposes. Although much sensitive information is sent and stored in an email system, many times people aren’t aware of how important it is to protect their email accounts and, as a result, private information is being stolen. Although email service providers have installed security measures, users should also learn how to protect themselves from hackers that may try to gain access and steal user information. We would like to recommend the following:

2-step verification 

When accessing email services, we need to confirm our identities. In general, the verification method can be classified as: 
  - Something you know (e.g., username and password)
  - Something you have (e.g., mobile phone and Smart Card)
  - Something you are (e.g., finger print and voice)
To add more security, we recommend a 2-step verification process. 
This 2-step verification is a mechanism of authentication using two verification methods together to enhance security for logins to access services. For example, combining username and password with an OTP from a mobile phone will protect you even if your password is leaked. Most of the free and widely used email services have such 2-step verification in their security settings.


A username and password is the most common way to identify and verify yourself over the Internet. A good password is important to prevent unauthorized access.
To set up a good password you need:
  - a password that contains at least eight characters.
  - a password that contains a combination of diverse characters, e.g., lower case letters, upper case letters, numbers, and special characters.
In addition:
  - Do not reuse the same password that is already in use in other systems with a similar username.
  - Use words that do not appear in the dictionary.
  - Change passwords regularly. 
As well as setting up a strong password, users should be aware of password availability.
  - Do not write down username and password and leave them in a public place.
  - Do not share username and password with anyone.
  - Do not let a web browser remember your passwords.

Caution in the use of public computers

There are many risks while using a public computer. We don’t know what kind of software is installed on a public computer and whether we can trust it or not. Users should always avoid using a public computer for sensitive actions. When on the Internet, try to set the web browser for private or incognito mode and always refuse when the browser asks to remember a password. Additionally, you should use the on-screen keyboard (a virtual keyboard: a standard accessory for many operating systems) when typing passwords or sensitive information to block key logger software.

Review the account activity and security settings regularly
Users should review activity log regularly for irregular or suspicious activity, such as an unfamiliar login location, an unrecognized device or unusual login time. You may notice unusual activity by reviewing such information, for example, a login in at midnight from abroad. Moreover, security settings should also be reviewed. These include login settings, password recovery options, secondary email accounts, etc. If you find any suspicious activity, you should change your password immediately and examine all devices ever connected to that email account.
Disclaimer: The views and opinions expressed herein are those of the author and do not necessarily reflect the views of the organization or its affiliates, and the copyright belongs to the author.