Best Pratices for Account Security | Zoho Accounts

Best practices for keeping your Zoho account secure

Make your password strong

Our recommendation regarding password security is to go passwordless using our authenticator Zoho OneAuth. However, if you want to keep using passwords, please follow the practices below:
  1. Avoid using personal information such as your birthday, mobile number, or pet name.
    Avoid using only a single word or only common dictionary words.
  2. Avoid using sequences with repetitive or consecutive characters (like "12345," "000"), or commonly used sequences (like "qwerty").
  3. Don't make the password overly complex; make sure it is easily remembered.
  4. Don't reuse the same password on multiple services.
  5. Use a unique password for your Zoho account.Never share your account password with others.
Info: By default, Zoho enforces users to set a password with the following criteria:
  1. Should be at least 8 characters.
  2. Should not contain the user's email address.
  3. Should not be a breached password. When you enter a password, we will check if it is found in any previous breaches using Troy Hunt's breached password collection. If it was, we will prompt you to enter a different password.

Set up recovery options

Your Zoho account will contain important information such as your documents, emails, and so on. So, it is important that you always have access to your account. You can get locked out and lose access to your account for the following reasons:
  1. You forgot your password.
  2. Someone else accessed your account and changed your password.
  3. You have set up multi-factor authentication (MFA), but are unable to sign in due to some issue.

Setting up account recovery options will help you recover your access during these times.

Recovery email address/mobile number

A recovery email address or recovery mobile number will help you reset your account password if you get locked out. Make sure the email address or mobile number you add is:

  1. Personal only to you.
  2. Easily accessible.
  3. Working and able to receive emails/SMS.
To add a recovery email or number:
  1. Go to
  2. In the Profile tab, go to the Email Address or Mobile Number section.
  3. Click Add Email Address or Add Mobile Number.
  4. Enter your email address or mobile number, then click Next.
    Enter the OTP you received, then click Verify.
After you add them, periodically check and update them. If someone else gets access to the email address or mobile number, they will be able to reset your password. At Zoho, we will also remind you to review the added recovery options periodically.

Backup verification codes

If you have enabled multi-factor authentication (MFA) for your account, it is important that you generate and save the backup verification codes for your account. These codes allow you to recover your account if you are unable to sign in using MFA.

If you are using Zoho OneAuth as your MFA mode, you need to set up a passphrase. This passphrase will allow you to recover access to OneAuth if you ever lose it.

Be aware and careful of phishing attempts

Phishing is a method attackers employ to gain access to your personal information, your credentials, or to your account in general. An attacker will send phishing emails to a large number of recipients, hoping that some of the recipients will be deceived. The phishing email may cite a critical emergency and urge you to provide your personal information, or ask you to access a link to a malicious web page, or download a malicious attachment.

Even if you have secured your account with multi-factor authentication, the attacker can gain access to your account through these phishing web pages using sophisticated techniques. For example, using the "Adversary-in-the-middle" method, the attacker can steal the session cookies from your browser and gain access to your account bypassing MFA.

How to identify a phishing email

  1. Note the clarity of the email content. Check if the content is ambiguous and doesn't make sense. The content of the email will also generate a sense of danger and urgency.
  2. Check if the sender's email address is suspicious. Typically, the attacker will use a domain that is slightly different from the actual domain they are posing as. So, look out for spelling mistakes. For example, instead of They may also use the name of the company in the first part of the address, such as,
  3. Check the URLs of the links and buttons present in the email. The text of the URL may seem normal, but it might be linked to a different URL. For example, the text may read "Renew Payment" or "Confirm Account"; but they are, instead, linked to a malicious URL. Make sure you hover over the link and check the URL before clicking on it. Check for spelling mistakes and suspicious domain names in the URLs, too.

What to do if you suspect an email to be a phishing email

  1. Never reply to this type of email with your passwords or other personal information. Zoho never asks for your password via emails.
  2. Think before clicking the links in the email.
  3. If you open a link, never enter your credentials on the web page or give out any personal information.
  4. Think if the action you are prompted to do in the first place requires entering your credentials.
  5. Don't download any files attached to the email.
  6. If you are part of an organization, contact your IT department. If you are an individual user or if your organization doesn't have an IT team, mark the sender as spam.
  7. For any assistance, contact our support team at

What to do if you get affected

If you think you were affected by a phishing attempt, secure your account immediately using the following steps:
  1. Change your account password. Make sure you set a unique password that isn't used on any other website or app.
  2. Enable multi-factor authentication (MFA) if you haven't already. We recommend you secure your account using Zoho OneAuth–our own authenticator app.
  3. Review your account access. If there is any malicious activity in your account, you will be able to identify it.
  4. If you need any further assistance, contact our support team at

Identify suspicious sign-ins via email alerts

If your account is compromised and someone else is able to access it, you can find out and secure your account if you have enabled the following alerts for your Zoho account:
  1. New sign-in to account alert
    Receive email alerts whenever your account is signed in from a new device, browser, or location.

  2. Third-party app access alert
    Receive email alerts whenever your account is accessed from a new third-party app or location. Example: IMAP/POP clients such as mail apps and calendar apps.
To enable these alerts:
  1. Go to
  2. Click Settings in the left menu.
  3. In the Preferences section, under Email notifications, enable the required alerts.

Use app-passwords for third-party apps

For third-party IMAP/POP clients, such as mail apps and calendar apps, generate and use unique app-specific passwords instead of your Zoho account password. This way, even if the client app gets compromised, your Zoho account will remain secure. These passwords can also be revoked anytime; and once revoked, the client apps will no longer be able to fetch information from your account.

Enable multi-factor authentication

Using a password alone doesn't provide much security to your account even if you have set up a strong password. With the latest sophisticated techniques attackers use, passwords are always at risk of getting found out. Hence, we strongly suggest enabling multi-factor authentication (MFA) for your account. MFA adds an extra layer of security to your account. Once you enable MFA, all your future sign-ins will require you to verify using the set MFA mode after you enter your password.

Secure account using IP restriction

Via IP restriction, you can allow your account to be accessed only from certain IP addresses. Once a set of allowed IP addresses are added, sign-in attempts from other IP addresses will be blocked. This way, an attacker who operates in a different location will have no means to access your account.

Review account access

In your Zoho Accounts page (, you can review the devices and apps you've signed-in to, the apps that have permission to access your account, and much more. By reviewing these details, you can find out if any unwanted app or device is accessing your account. 

The details you can view on your Zoho Accounts page are listed below:





Device Sign-ins

The devices your account is signed-in to, along with the location of where your account was signed-in, and how long ago.

Multi-Factor Authentication

Trusted Browsers

The browsers you have trusted to skip MFA during sign-in.


Linked Accounts

The third-party accounts (such as Google or Facebook) that are linked with your Zoho account.

Authorized Websites

The websites you have granted permission to access and fetch information from your account.


Active Sessions

The sessions your account currently has active. This will also have the details of when each session started, the IP address, and the approximate location.

Activity History

The apps you have been accessing recently. This will have details such as the accessed IP address, OS, device, and browser.

Connected Apps

The web apps you have granted permission to access and fetch information from your account.

App Sign-Ins

The mobile and desktop applications your Zoho account is signed-in with. 

    Zoho CRM Training Programs

    Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

    Zoho CRM Training
      Redefine the way you work
      with Zoho Workplace

        Zoho DataPrep Personalized Demo

        If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

        Zoho CRM Training

          Create, share, and deliver

          beautiful slides from anywhere.

          Get Started Now

            Zoho Sign now offers specialized one-on-one training for both administrators and developers.

            BOOK A SESSION

                        Still can't find what you're looking for?

                        Write to us:



                            Zoho Marketing Automation

                              Zoho Sheet Resources


                                  Zoho Forms Resources

                                    Secure your business
                                    communication with Zoho Mail

                                    Mail on the move with
                                    Zoho Mail mobile application

                                      Stay on top of your schedule
                                      at all times

                                      Carry your calendar with you
                                      Anytime, anywhere

                                            Zoho Sign Resources

                                              Sign, Paperless!

                                              Sign and send business documents on the go!

                                              Get Started Now

                                                  Zoho SalesIQ Resources

                                                      Zoho TeamInbox Resources

                                                              Zoho DataPrep Resources

                                                                Zoho DataPrep Demo

                                                                Get a personalized demo or POC

                                                                REGISTER NOW

                                                                  Design. Discuss. Deliver.

                                                                  Create visually engaging stories with Zoho Show.

                                                                  Get Started Now

                                                                                          • Related Articles

                                                                                          • Security

                                                                                            In addition to securing your Zoho account via  passwords and  multi-factor authentication, there is a slew of measures you can follow to ramp up your account security. Allowed IP address The Allowed IP address is an IP address or a range of IP ...
                                                                                          • Close your Zoho account

                                                                                            Closing your Zoho account will result in of all of your data being permanently deleted. If you're a personal user: Sign in to your Zoho account at Click Settings in the left menu, then scroll down to the Close Account section. ...
                                                                                          • Can I access my Zoho account again after closing it?

                                                                                            No. As per our security policy, closed accounts cannot be restored. However, you can always create a new account by visiting our website.
                                                                                          • Why and when account validation is done?

                                                                                            What is the purpose of validation? The purpose of validation is to secure your account from unauthorized activity, and to help us assist you in effectively resolving your issue.We collect information related to your Zoho account, such as ...
                                                                                          • How do I close my Zoho account?

                                                                                            Closing your Zoho account will result in of all of your data being permanently deleted. If you're a personal user: Sign in to your Zoho account at Click Settings in the left menu, then scroll down to the Close Account section. ...
                                                                                          Wherever you are is as good as
                                                                                          your workplace



                                                                                            Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.


                                                                                            Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.


                                                                                            Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.

                                                                                            CRM Tips

                                                                                            Make the most of Zoho CRM with these useful tips.

                                                                                              Zoho Show Resources