Usernames and passwords can be guessed or stolen. You can add additional layers of security that significantly reduce the chances of an attacker accessing your account.
First of all, always use encrypted connections when using your email service. If you don't know about HTTPS/SSL, please read Howto: Handle a hacked email account first.
Popular web-based email services, such as Gmail and Yahoo! Mail, secure accounts using a username and password. Some, including both Gmail and Yahoo! Mail, allow you to use an additional security measure called two-factor authentication (aka two-step verification).
Using two-factor authentication is easier than the system's name suggests.
You may already have used two-factor authentication if you bank online with certain banks. Essentially you log in with your username and password, but must then type in a code that changes on a regular basis.
Every time you or someone else tries to access your account from a new system (PC, Mac, phone, tablet etc.), a code is required. You may also have to re-enter a code after a period of time.
A bank may require a code every time you log in. Google Mail will ask you once every 30 days.
The code may be generated by a small handheld device; by software installed on a smartphone; or it may even be sent by text (SMS) message to your phone.
Google provides a free Android app called Google Authenticator, which generates the code. Alternatively you can use one of the other options provided by Google, such as text messaging or even a voice call.
Some other web services allow users to add this optional secondary level of security. Following an embarrassing compromise, which potentially exposed users' files, Dropbox offered a two-step verification option to users.
Dealing with an extra log-in step once every few weeks is only slightly inconvenient and the level of additional security makes it well worthwhile.
Delhi scammers bypass two-factor authentication
Although using two-factor authentication is much more secure than relying only on passwords, it is possible for sneaky people to trick their way into obtaining the code.
A pair of Indian criminals were caught recently, having conned a mobile phone company into sending them 'replacement' SIM cards belonging to customers.
They were then able to log into victims' bank accounts, using the SIMs to receive security codes sent by SMS.