How to secure your digital accounts — the basics, all the way up

I recently spent an evening going through my most important digital accounts — not because anything had happened, but because I realized I didn’t really know how secure they actually were. I had a password manager, I had two-factor on most things, I felt fairly safe. But when I actually sat down and went through account by account, I found things that scared me more than I care to admit.

This post is what I wish someone had told me before I started. It’s aimed at people who use the internet roughly like everyone else — have email, social media, maybe an Apple or Google account, maybe a domain or two — but aren’t particularly technical. You won’t become an expert from reading this. But you’ll get roughly ninety percent of the way toward making it genuinely difficult for someone to take over your accounts, which is about as far as you can realistically get as a private individual.

I’ve tried to sort the advice into three levels: the basics that everyone should do, good to have for those who want to go one step further, and hardware key level for the accounts where it really matters. You don’t need to do everything. Small improvements are better than none.

Why this matters

Most people imagine that “getting hacked” means someone cracks their password. That almost never happens. What actually happens is much more boring: one of the hundred companies where you have an account leaks their database, your password is in there, and an automated bot tries the same password on Gmail, Facebook, Instagram, your work email — everywhere it can think of. If you reuse passwords, one of those attempts will succeed. Not if, but when.

The second common scenario is that someone tricks you into handing over your SMS code. This can happen in several ways: through a fake login flow, a call where the fraudster asks you to read out the code, or in the worst case through a SIM-swap where someone gains control of your phone number. That’s one of the most important reasons why SMS is the weakest two-factor method. SMS is usually better than no two-factor at all, but switch to an app, passkey or security key when you can.

The third is that your accounts are connected in chains you probably haven’t thought about. Your Apple ID has an email address as the “primary.” That email address in turn has a recovery email. That recovery email might be on an account you created in 2005 and barely use, with no two-factor, with a password you had in high school. If someone takes the old account, they can reset the newer email, and from there reset your Apple ID, and from there your entire digital life is theirs. The chain is only as strong as the weakest link — and the weakest link is almost always a forgotten account you don’t even think about.

I’ll come back to that, because it’s the most important lesson I took away.

The basics: what everyone must do

A password manager. Apple’s built-in password app (now simply called Passwords) goes a long way if you live in the Apple ecosystem. iCloud sync across iPhone and Mac works seamlessly. If you prefer something cross-platform, 1Password and Bitwarden are two good options — Bitwarden has a very generous free tier. What matters isn’t which one you choose. What matters is that you use one and let it generate long, unique passwords for you. Stop making up your own.

Unique passwords everywhere. The password manager makes that easy, but you actually have to go through and change the old ones. Most modern password managers have a feature called something like “security audit” or “Password Health” that shows which passwords you’re reusing or that have appeared in breaches. Start with email. Work your way down.

Two-factor on everything possible — but not via SMS. Two-factor (2FA, two-step verification) means that in addition to your password, you have to approve the login via something else: a code from an app, a tap on another device, or a physical key. Turn it on everywhere you can. But choose, in this order:

  1. Passkey if offered (more on that shortly).
  2. Authenticator app — Google Authenticator, Microsoft Authenticator, 1Password’s built-in, or Apple’s built-in in Passwords. All of these work equivalently.
  3. SMS only as an absolute last resort, and ideally not even then.

If a service only offers SMS it’s still better than nothing — but treat it as a temporary solution. When the same service adds support for an app or passkey, switch immediately.

Don’t forget payment services and shopping apps. PayPal, Klarna, Amazon, eBay and similar services aren’t banks, but they can be linked to cards, bank accounts, credit, delivery addresses, and purchases in your name. Secure them like you would your email account: passkey if available, two-factor with an app or security key if offered, a long unique password, and review old logged-in devices, saved sessions, and app connections you no longer use. In many of these apps the most important settings are in the mobile app rather than on the web.

Recovery codes on paper, not on your computer. When you turn on two-factor you’ll usually be offered a set of recovery codes or backup codes. These are one-time codes you can use if you lose your phone. Most people click past the screen, or save them as a screenshot on their phone. Both are wrong. Print them out. Put the paper somewhere you can find it again but no one else will — a locked box, a folder with bills, a binder on the shelf. If your home isn’t the right place, consider a sealed envelope with a trusted family member. The point is that they should exist outside your digital world, because that’s where you need them the day everything else has broken down.

One more thing about recovery codes: if you’ve seen your codes at some point but never used them, they’re still valid. But if you have a habit of just clicking “I’ve saved them” without actually saving them — generate new ones. On most services this is called “regenerate” or “create new codes.” The old ones become invalid, and you get fresh ones you can actually save.

Passkeys: what makes passwords less relevant

You may have encountered the word passkey without really understanding what it is. In short: a passkey is a passwordless way to log in, where your device (phone, computer) holds a secret key that proves who you are without any password ever being sent over the network. You authenticate with Face ID, Touch ID, or PIN, and that’s it.

This is better than passwords in practically every way. Passkeys are phishing-resistant: they can’t be handed over to a fake website the same way a password or one-time code can, because they’re bound to the real website. They also can’t leak from a database the same way passwords can (the server has no secret to leak), and they’re usually faster than filling in a password plus a code.

Major players like Google, Apple, Microsoft, GitHub, and PayPal support passkeys now. When you log in and get an offer to “create a passkey” or “use Face ID next time” — say yes. Your password manager (or Apple’s Passwords) handles syncing between devices so you don’t need to think about it.

Good to have: the chain of dependencies

This is an important piece of the puzzle that can be easy to miss. Sit down with pen and paper and draw out a chain: what is used to recover what?

Start with your most important account — for most people that’s an Apple ID, Google account, or Microsoft account, depending on which platform you live on. Look under account settingssecurity or equivalent. There you’ll find something called “primary email,” “recovery address,” “alternate email,” or similar.

Write down that email address. Then log in to that email account and do the same thing. Does it in turn have a recovery email? A recovery phone number? Write everything down.

When you’ve finished drawing the chain you’ll almost certainly find something uncomfortable. An old email from university years sitting as the recovery for your current main email. A phone number you no longer use. An account with “security questions” where the answer is your mother’s maiden name and the neighborhood you grew up in (both findable on LinkedIn and Facebook). An account with a password from 2014, no two-factor, can in practice be used to take over all your other accounts.

Your security chain is exactly as strong as the weakest account in it. And the weakest account is almost always the oldest one, the one you’ve forgotten about, the one you use least.

The fix is fairly simple once you can see it: harden the old account as much as the new one (strong, unique password, two-factor, recovery codes on paper) — or if you truly never use it, remove it as a recovery option entirely and replace it with something better. Some services let you have no recovery option if you have enough other safeguards. Then the paper codes are your lifeline.

Banking and brokerage accounts

Phone fraud is the real threat. Unlike password-based attacks, the main threat against financial accounts is social engineering — someone calling and convincing you to authorize something you shouldn’t. Common script: someone calls claiming to be from your bank, the police, or a tech company; there’s been “suspicious activity” on your account; you need to “verify yourself” by opening your banking app and confirming something. What you’re actually confirming is a new loan application or a transfer that empties the account.

The simplest rule I’ve given myself: before I approve anything in my banking app, I always read exactly what it says I’m authorizing, and I ask three questions — who called whom, do I recognize the amount and recipient, and did I initiate this action myself in the last minute? If any answer is unclear, I hang up, take a breath, and call back using the number from the company’s official website (not from an SMS or call history). Your bank will never be angry if you call back. The fraudster will be gone.

Voice is no longer proof. AI voice cloning and deepfakes mean a call can sound like your child, parent, or a close relative when it isn’t. Agree on a secret code word with your family — especially children, siblings, and elderly parents — used only in genuine emergencies. If someone calls from an unexpected number and wants you to quickly send money, authorize a transaction, or keep the call secret: hang up and call back to a number you already know is right. If you can’t reach the person, call another family member. A real emergency can withstand thirty seconds of verification.

Check which active sessions and linked accounts exist. Log into your financial accounts and look under security or settings. Review saved payment methods, withdrawal destinations, and linked external accounts. Make sure money can only go to accounts in your name, not an arbitrary new account. Turn on push notifications or email alerts for all logins and withdrawals above a certain amount — you’ll immediately see if someone logs in from somewhere that isn’t you.

Set daily transfer limits. Most banks let you lower the daily limits for transfers and peer-to-peer payments. If you don’t need to be able to send a large amount on any given day, lower the limit. You can always raise it temporarily when you need to, and in practice it’s a very effective protection against fraud losses — no matter how the fraudster gets you to authorize something, the damage is capped.

SIM-swap, SMS, and number porting. SIM-swap is primarily a problem for accounts that use SMS codes or phone numbers for recovery — it makes your mobile number part of the security chain. Contact your carrier and ask what protections they offer against unauthorized number porting or SIM/eSIM changes — things like extra identification, customer codes, or a port freeze. The names vary between carriers, but the point is simple: it shouldn’t be easy for someone else to take over your number.

Hardware key level: for the few accounts that truly matter

There’s a group of accounts where loss would be catastrophic, not just annoying. For most people that’s: the main email, Apple or Google account, and possibly the account where your website’s domain lives or where important business data is stored. For these accounts it’s worth investing in a physical security key, usually a YubiKey.

A YubiKey is a small thing that looks like a USB stick. You register it on your important accounts, and from that point someone who wants to log in as you — even if they have your password and access to your phone and the SIM card — also needs this physical gadget that lives in your pocket or a safe at home. That’s the barrier phishing campaigns and database breaches don’t cross.

Two things that matter if you get one:

Buy two. The reason is simple: one you’ll keep with you or at your desk, and the other you hide somewhere hard to access — a safe deposit box, a box at a family member’s, a fireproof safe. If the daily one disappears (and hardware does disappear sometimes) the other is your ticket back in. Register both on all your important accounts from the start. If you don’t — if you only register one and then lose it — you can become completely locked out.

Read carefully what the service means by passkey and security key. Some services, like GitHub, distinguish between “passkey” and “security key” in the interface even though the same YubiKey can be used in both roles. If a service explicitly offers both it may be worth registering the key both ways. But treat it as a service-specific choice, not a general rule for all accounts.

Two YubiKeys cost around $60–100 USD. For an Apple account that holds your entire iCloud, all photos, Find My, and all your saved passwords, that can be money well spent.

Advanced protection modes: good, but different things

It’s easy to confuse two different things here: stronger account login and stronger encryption of cloud data.

Google’s version is called Advanced Protection Program (APP). It’s a protection mode for the account that requires a passkey or physical security key, tightens recovery, and limits which third-party apps can access the account. It’s built for people with higher-than-average risk — journalists, activists, politicians, business owners — but is available to regular users too.

Apple has two relevant features. Security Keys for Apple Account lets you require physical security keys as part of signing into your Apple account. Advanced Data Protection (ADP) is something else: it extends end-to-end encryption for iCloud so that Apple itself can’t read most of your iCloud content. The price is that if you lose all your devices and your recovery codes and your recovery contacts — your data may be gone forever. That’s a deliberate tradeoff.

These modes are worth considering if you’ve gotten this far in the article and taken the YubiKey step. But don’t turn them on before you have working recovery in place and at least one backup key.

Last tip: clean up old connections

When I went through my accounts I found over thirty apps, websites, and developer tools that had access to my Google and GitHub accounts — most of them from things I’d tried years ago and then forgotten. Each such connection is a potential way in. Go to security settingsapps with access to your account or equivalent, and remove everything you don’t recognize or no longer use. It takes ten minutes and is one of the best-invested ten minutes you can spend.

Same thing with logged-in devices. All modern accounts show a list of “where you’re currently logged in.” Every old phone or computer is there. Log out everything you don’t immediately recognize.

Afterward

When I was done, it didn’t feel like I’d been hacked and saved myself at the last second. It felt like I’d cleaned the windows after several years: everything was suddenly more visible and I had a handle on things I’d previously only hoped were fine.

The hardest part of the whole exercise wasn’t the technology. The technology is almost always a few menus away. The hardest part was starting, because it feels like a big, vague undertaking. It isn’t. Each account takes ten to twenty minutes once you’re in the right settings menu. You can do two or three an evening, for a week, and by Sunday you’re done. Feel free to use an AI assistant to navigate confusing menus.

Do it before something happens. It’s much more pleasant than doing it after.

Checklist — going through account by account

Start with your most important accounts first: main email, Apple ID/Google account, bank, social media where you have a lot of content. Then work outward.

For each account:

  • Password is long, unique, generated by a password manager
  • Two-factor turned on — with passkey or authenticator app, not SMS
  • SMS removed as verification method (even as a “backup”)
  • Recovery codes printed and stored in a safe physical location
  • Recovery email and recovery phone checked — do they point to something you still use and have hardened?
  • List of logged-in devices reviewed — unrecognized devices logged out
  • List of apps/services with access reviewed — unused ones removed
  • Payment services and shopping accounts (PayPal, Amazon, eBay) secured the same way — passkey/two-factor where available, old saved sessions and app connections removed

Extra for primary accounts (email, Apple/Google, domain registrar, work email):

  • Two YubiKeys or equivalent hardware keys registered
  • Backup key stored at a different physical location from the daily one
  • Google Advanced Protection, Apple Security Keys / ADP or equivalent considered where appropriate
  • Chain of recovery dependencies drawn on paper and thought through

Financial accounts:

  • Verified which active sessions exist and revoked any unrecognized ones
  • Withdrawal destination locked to accounts in your name only
  • Login and withdrawal alerts turned on
  • Daily transfer limits lowered to levels that match how you actually live
  • Family code word agreed on with children, parents, and close relatives — and habit set to hang up and call back to a known number for unexpected urgent calls

One-time items:

  • Password manager installed and in daily use
  • Old unused accounts sitting as recovery addresses on important accounts — either hardened or removed as recovery options
  • Protection against unauthorized number porting or SIM/eSIM changes checked with your mobile carrier

Good luck. This is tedious work but satisfying when it’s done, and you’ll thank yourself.