Best Practices for Account Security | Zoho Accounts

Best practices for keeping your Zoho account secure

Make your password strong

Our recommendation regarding password security is to go passwordless using our authenticator Zoho OneAuth. However, if you want to keep using passwords, please follow the practices below:
  1. Avoid using personal information such as your birthday, mobile number, or pet name.
  2. Avoid using only a single word or only common dictionary words.
  3. Avoid using sequences with repetitive or consecutive characters (like "12345," "000"), or commonly used sequences (like "qwerty").
  4. Don't make the password overly complex; make sure it is easily remembered.
  5. Don't reuse the same password on multiple services.
  6. Use a unique password for your Zoho account. Never share your account password with others.
Info: By default, Zoho enforces users to set a password with the following criteria:
  1. Should be at least 8 characters.
  2. Should not contain parts of the user's email address, first name, or last name.
  3. Should not contain consequent characters (such as "000") or sequential characters (such as "123", "abc").
  4. Should not be a breached password. When you enter a password, we will check if it is found in any previous breaches using Troy Hunt's breached password collection. If it was, we will prompt you to enter a different password.

Set up recovery options

Your Zoho account will contain important information such as your documents, emails, and so on. So, it is important that you always have access to your account. You can get locked out and lose access to your account for the following reasons:
  1. You forgot your password.
  2. Someone else accessed your account and changed your password.
  3. You have set up multi-factor authentication (MFA), but are unable to sign in due to some issue.

Setting up account recovery options will help you recover your access during these times.

Recovery email address/mobile number

A recovery email address or recovery mobile number will help you reset your account password if you get locked out. Make sure the email address or mobile number you add is:

  1. Personal only to you.
  2. Easily accessible.
  3. Working and able to receive emails/SMS.
To add a recovery email or number:
  1. Go to accounts.zoho.com.
  2. In the Profile tab, go to the Email Address or Mobile Number section.
  3. Click Add Email Address or Add Mobile Number.
  4. Enter your email address or mobile number, then click Next.
  5. Enter the OTP you received, then click Verify.
After you add them, periodically check and update them. If someone else gets access to the email address or mobile number, they will be able to reset your password. At Zoho, we will also remind you to review the added recovery options periodically.

Backup verification codes

If you have enabled multi-factor authentication (MFA) for your account, it is important that you generate and save the backup verification codes for your account. These codes allow you to recover your account if you are unable to sign in using MFA.

If you are using Zoho OneAuth as your MFA mode, you can also set up a passphrase. This passphrase will allow you to recover access to OneAuth if you ever lose it.

Be aware and careful of phishing attempts

Phishing is a method attackers employ to gain access to your personal information, your credentials, or to your account in general. An attacker will send phishing emails to a large number of recipients, hoping that some of the recipients will be deceived. The phishing email may cite a critical emergency and urge you to provide your personal information, or ask you to access a link to a malicious web page, or download a malicious attachment.

Even if you have secured your account with multi-factor authentication, the attacker can gain access to your account through these phishing web pages using sophisticated techniques. For example, using the "Adversary-in-the-middle" method, the attacker can steal the session cookies from your browser and gain access to your account bypassing MFA.

How to identify a phishing email

  1. Note the clarity of the email content. Check if the content is ambiguous and doesn't make sense. The content of the email will also generate a sense of danger and urgency.
  2. Check if the sender's email address is suspicious. Typically, the attacker will use a domain that is slightly different from the actual domain they are posing as. So, look out for spelling mistakes. For example, zohocrop.com instead of zohocorp.com. They may also use the name of the company in the first part of the address, such as, zohosupport@abc.com.
  3. Check the URLs of the links and buttons present in the email. The text of the URL may seem normal, but it might be linked to a different URL. For example, the text may read "Renew Payment" or "Confirm Account"; but they are, instead, linked to a malicious URL. Make sure you hover over the link and check the URL before clicking on it. Check for spelling mistakes and suspicious domain names in the URLs, too.

What to do if you suspect an email to be a phishing email

  1. Never reply to this type of email with your passwords or other personal information. Zoho never asks for your password via emails.
  2. Think before clicking the links in the email.
  3. If you open a link, never enter your credentials on the web page or give out any personal information.
  4. Think if the action you are prompted to do in the first place requires entering your credentials.
  5. Don't download any files attached to the email.
  6. If you are part of an organization, contact your IT department. If you are an individual user or if your organization doesn't have an IT team, mark the sender as spam.
  7. For any assistance, contact our support team at support@zohoaccounts.com.

What to do if you get affected

If you think you were affected by a phishing attempt, secure your account immediately using the following steps:
  1. Change your account password. Make sure you set a unique password that isn't used on any other website or app.
  2. Enable multi-factor authentication (MFA) if you haven't already. We recommend you secure your account using Zoho OneAuth–our own authenticator app.
  3. Review your account access. If there is any malicious activity in your account, you will be able to identify it.
  4. If you need any further assistance, contact our support team at support@zohoaccounts.com.

Identify suspicious sign-ins via email alerts

If your account is compromised and someone else is able to access it, you can find out and secure your account if you have enabled the following alerts for your Zoho account:
  1. New sign-in to account alert
    Receive email alerts whenever your account is signed in from a new device, browser, or location.

  2. Third-party app access alert
    Receive email alerts whenever your account is accessed from a new third-party app or location. Example: IMAP/POP clients such as mail apps and calendar apps.
To enable these alerts:
  1. Go to accounts.zoho.com.
  2. Click Settings in the left menu.
  3. In the Preferences section, under Email notifications, enable the required alerts.

Use app-passwords for third-party apps

For third-party IMAP/POP clients, such as mail apps and calendar apps, generate and use unique app-specific passwords instead of your Zoho account password. This way, even if the client app gets compromised, your Zoho account will remain secure. These passwords can also be revoked anytime; and once revoked, the client apps will no longer be able to fetch information from your account.

Enable multi-factor authentication

Using a password alone doesn't provide much security to your account even if you have set up a strong password. With the latest sophisticated techniques attackers use, passwords are always at risk of getting found out. Hence, we strongly suggest enabling multi-factor authentication (MFA) for your account. MFA adds an extra layer of security to your account. Once you enable MFA, all your future sign-ins will require you to verify using the set MFA mode after you enter your password.

Secure account using IP restriction

Via IP restriction, you can allow your account to be accessed only from certain IP addresses. Once a set of allowed IP addresses are added, sign-in attempts from other IP addresses will be blocked. This way, an attacker who operates in a different location will have no means to access your account.

Review account access

In your Zoho Accounts page (accounts.zoho.com), you can review the devices and apps you've signed-in to, the apps that have permission to access your account, and much more. By reviewing these details, you can find out if any unwanted app or device is accessing your account. 

The details you can view on your Zoho Accounts page are listed below:


Tab

Section

Description

Security

Device Sign-ins

The devices your account is signed-in to, along with the location of where your account was signed-in, and how long ago.

Multi-Factor Authentication

Trusted Browsers

The browsers you have trusted to skip MFA during sign-in.

Settings

Linked Accounts

The third-party accounts (such as Google or Facebook) that are linked with your Zoho account.

Authorized Websites

The websites you have granted permission to access and fetch information from your account.

Sessions

Active Sessions

The sessions your account currently has active. This will also have the details of when each session started, the IP address, and the approximate location.

Activity History

The apps you have been accessing recently. This will have details such as the accessed IP address, OS, device, and browser.

Connected Apps

The web apps you have granted permission to access and fetch information from your account.

App Sign-Ins

The mobile and desktop applications your Zoho account is signed-in with. 


    Zoho CRM Training Programs

    Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

    Zoho CRM Training
      Redefine the way you work
      with Zoho Workplace

        Zoho DataPrep Personalized Demo

        If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

        Zoho CRM Training

          Create, share, and deliver

          beautiful slides from anywhere.

          Get Started Now


            Zoho Sign now offers specialized one-on-one training for both administrators and developers.

            BOOK A SESSION









                                      You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.




                                          Manage your brands on social media

                                            Zoho Desk Resources

                                            • Desk Community Learning Series


                                            • Digest


                                            • Functions


                                            • Meetups


                                            • Kbase


                                            • Resources


                                            • Glossary


                                            • Desk Marketplace


                                            • MVP Corner


                                            • Word of the Day


                                              Zoho Marketing Automation

                                                Zoho Sheet Resources

                                                 

                                                    Zoho Forms Resources


                                                      Secure your business
                                                      communication with Zoho Mail


                                                      Mail on the move with
                                                      Zoho Mail mobile application

                                                        Stay on top of your schedule
                                                        at all times


                                                        Carry your calendar with you
                                                        Anytime, anywhere




                                                              Zoho Sign Resources

                                                                Sign, Paperless!

                                                                Sign and send business documents on the go!

                                                                Get Started Now




                                                                        Zoho TeamInbox Resources



                                                                                Zoho DataPrep Resources



                                                                                  Zoho DataPrep Demo

                                                                                  Get a personalized demo or POC

                                                                                  REGISTER NOW


                                                                                    Design. Discuss. Deliver.

                                                                                    Create visually engaging stories with Zoho Show.

                                                                                    Get Started Now









                                                                                                        • Related Articles

                                                                                                        • Security

                                                                                                          Change Password If you want to change your account password, you can change it by signing in to accounts.zoho.com. However, if you've forgotten your password and unable to sign in, then you will need to reset your password. Note: By default, Zoho ...
                                                                                                        • Security key

                                                                                                          What is a security key? Security key is a hardware device that can be used to enable multi-factor authentication (MFA). They don't require a battery to function and need no software installation to authenticate your accounts. How security keys work? ...
                                                                                                        • Why and when account validation is done?

                                                                                                          What is the purpose of validation? The purpose of validation is to secure your account from unauthorized activity, and to help us assist you in effectively resolving your issue.We collect information related to your Zoho account, such as ...
                                                                                                        • Recover your Zoho account

                                                                                                          If you can't sign in to your Zoho account due to issues with your password or MFA, you can try to recover your account on your own using the instructions given below. Select how you sign in to your Zoho account to proceed: I'm signing in using only a ...
                                                                                                        • Can I access my Zoho account again after closing it?

                                                                                                          No. As per our security policy, closed accounts cannot be restored. However, you can always create a new account by visiting our website.
                                                                                                          Wherever you are is as good as
                                                                                                          your workplace

                                                                                                            Resources

                                                                                                            Videos

                                                                                                            Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.



                                                                                                            eBooks

                                                                                                            Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.



                                                                                                            Webinars

                                                                                                            Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.



                                                                                                            CRM Tips

                                                                                                            Make the most of Zoho CRM with these useful tips.



                                                                                                              Zoho Show Resources