Why Account Security Matters More Than Ever
In 2023 alone, over 8 billion records were exposed in data breaches. Credential stuffing attacks are fully automated bots that test leaked username/password combinations against thousands of sites every second. The probability that at least one of your accounts has been compromised is not theoretical. It's near-certain if you've been online for more than a decade.
The good news: most account compromises are entirely preventable with a small amount of effort. Here's the complete playbook.
Layer 1: Strong, Unique Passwords
The Non-Negotiable Rules
- Every account gets its own unique password. Password reuse is the single biggest vulnerability. One breach exposes all your reused accounts.
- Use a password manager. You cannot remember 100+ unique, strong passwords. You don't have to; Bitwarden (free, open source), 1Password, or KeePass will do it for you.
- Generated passwords only. Human-chosen passwords follow patterns. Let your password manager generate random ones.
- Minimum 16 characters for generated passwords. Length = security.
Your Master Password
Your password manager's master password is the only one you need to remember. Make it count. Use a 4–5 word passphrase: random, not meaningful to you. For example: "staple pencil sunset marble" (don't use this one). Check its strength with our Password Strength Checker.
Layer 2: Two-Factor Authentication on Everything
Enable 2FA on every account that offers it. Priority order:
- Email — resets every other account. Compromise here = total account takeover.
- Password manager — losing this means losing everything else.
- Banking and financial services
- Social media — used for impersonation and account recovery attacks
- Cloud storage — often contains sensitive documents
- Work accounts
- Everything else that supports it
Use an authenticator app (not SMS) for important accounts. You can generate and verify TOTP codes with our free 2FA code generator.
Layer 3: Monitor for Breaches
You can't secure an account if you don't know it's been breached. Set up monitoring:
- HaveIBeenPwned.com — check if your email appears in known data breaches, and enable free notifications for future ones
- Your password manager — most modern managers (1Password Watchtower, Bitwarden Reports) monitor your credentials against breach databases
- Google's password check — Chrome and Google Password Manager alert you to compromised saved passwords
If a service you use announces a breach, change your password immediately, even if they say "passwords were hashed." Treat a breach notification as a confirmed compromise until proven otherwise.
Layer 4: Secure Your Recovery Options
Recovery options are often the weakest link; they're designed to bypass your main security measures.
- Remove or secure security questions. Answers are often findable via social media. Use random strings (stored in your password manager) as "answers" instead of real answers.
- Keep recovery email and phone updated. Recovery sent to an old, abandoned email you can no longer access locks you out of your own account.
- Use a dedicated recovery email. A separate email address used only for account recovery not for communication, reduces the attack surface.
- Save backup codes for every account with 2FA (see our 2FA Backup Codes Guide).
Layer 5: Device Security
Your accounts are only as secure as the devices you access them from:
- Use full-disk encryption — FileVault on Mac, BitLocker on Windows, enabled by default on modern iPhones and Android
- Keep software updated — OS and app updates patch security vulnerabilities. Enable automatic updates.
- Use a screen lock — PIN, biometric, or password. Short auto-lock timeout (1–5 minutes).
- Avoid public Wi-Fi for sensitive accounts — or use a reputable VPN if you must
- Don't leave devices unattended in public places, even briefly
Layer 6: Email Security (Deserves Special Attention)
Your primary email account is the master key to your digital life. Treat it accordingly:
- Use a strong, unique password (never reused anywhere)
- Enable 2FA, preferably with a hardware key, for this one account
- Review connected apps and revoke anything you don't actively use
- Be suspicious of any email asking you to click a link and enter credentials. Go directly to the site instead
- Consider a privacy-focused provider (ProtonMail, Fastmail) for reduced tracking
Layer 7: Recognise Phishing
The best technical security is defeated by social engineering. Learn to recognise phishing:
- Check the actual sender domain — "support@paypa1.com" is not PayPal
- Hover links before clicking — the displayed text may not match the actual URL
- When in doubt, go directly to the site — never click account security links in emails; type the URL manually
- Urgency is a red flag — "Your account will be deleted in 24 hours" is a classic pressure tactic
Your Security Action Checklist
- Install a password manager and import/generate passwords for all accounts
- Enable 2FA on email, password manager, banking, and social media (minimum)
- Check HaveIBeenPwned for your email addresses
- Change any passwords that appear in breach databases
- Generate and safely store backup codes for all 2FA-enabled accounts
- Update OS and apps to current versions
- Review and revoke unused app permissions in Google, Apple, and Facebook account settings
Frequently Asked Questions
How often should I change my passwords?
Only when there's a reason to: a breach notification, suspicion of compromise, or after using a shared/public device. Scheduled changes without a reason (every 90 days) actually weaken security by encouraging users to make predictable minor modifications.
Is it safe to log in on someone else's computer?
Treat any computer you don't control as compromised. If you must: use incognito mode, never let the browser save passwords, log out when done, and change your password afterward on a trusted device.
What's the most important single thing I can do?
Enable 2FA on your primary email account. Email controls account recovery for everything else; it's the highest-value target and the most impactful single improvement you can make.
