🔐

Secure Your Accounts

12 minute read

30 minutes of setup that protects you for years. I'll walk you through every step — no tech expertise needed.

I’ve helped a lot of people lock down their accounts over the years. Some of them came to me before anything bad had happened — they just wanted to be safe. Others came to me after their bank account was drained, or their email was sending scam links to everyone in their contacts, or someone opened a credit card in their name.

The difference between those two groups almost always came down to a few simple things that take about 30 minutes to set up. Not complicated things. Not things that require a computer science degree. Just a handful of changes that would have stopped the attack cold.

That’s what this page is. Grab your phone, open your laptop, and let’s walk through them together.

Your email is the skeleton key

I start here with everyone, and I want to explain why, because once you understand this, everything else on this page makes more sense.

Your email account isn’t just where you get newsletters and shipping confirmations. It’s the reset mechanism for every other account you own. When you click “Forgot password?” on your bank’s website, where does the reset link go? Your email. Amazon, PayPal, your health insurance portal, your IRS account — all of them. If an attacker gets into your email, they don’t need to hack anything else. They just click “Forgot password?” on each one and take over your entire digital life from a single point of entry.

I’ve seen this happen. Someone reuses their email password on a forum that gets breached. The attacker takes the leaked password, logs into their Gmail, and within an hour has reset their bank password, their Amazon password, and their PayPal password. By the time the victim notices, the damage is done.

This is why your email gets secured first, and why it gets secured more aggressively than anything else.

How to find your email security settings

Every email provider puts their security settings in roughly the same place, and learning how to find them is a skill that works across every account you’ll ever have — not just email.

Here’s the pattern: look for your profile picture or account icon (usually in the top-right corner), tap or click it, and look for “Account,” “Settings,” or “Manage your account.” From there, find the section labeled “Security” or “Password & Security.”

If you can’t find it, search the web for “[your email provider] security settings” — for example, “Gmail security settings” or “Yahoo security settings.” That search will always get you to the right place, even when providers redesign their menus.

This pattern — profile icon, account settings, security — works on almost every website and app you’ll ever use. Once you know it, you can find the security settings for your bank, your Amazon account, your social media, anything. That’s more valuable than any single link I could give you.

Change your email password

Once you’re in your security settings, change your password. Your new one needs two things:

It needs to be long. At least 12 characters. Length beats complexity every time. A short sentence you can remember is one of the strongest passwords you can create:

“I drink coffee at 7am every day” — that’s 32 characters, easy to type, and it would take a computer longer than the age of the universe to brute-force. Meanwhile, “P@ssw0rd!” looks “secure” but gets cracked in seconds because attackers already have it in their dictionaries.

It needs to be unique to this account. If you use this same password on any other site — even one — and that site gets breached, your email is compromised too. This is the number one way people lose their email accounts.

Pick something personal enough to remember, but not something someone could guess from your social media. Your dog’s name and birth year is the first thing an attacker scrapes from your Facebook profile, and AI makes that research trivially fast now.

Turn on two-factor authentication

This is the single most important thing on this entire page. If you do nothing else, do this.

Two-factor authentication (2FA) means that even if someone steals your password — even if they buy it from a data breach for two dollars — they still can’t log in. They’d also need a code that gets sent to your phone, and they don’t have your phone.

In the same security settings where you just changed your password, look for “2-Step Verification,” “Two-Factor Authentication,” or “Login Verification.” Different providers call it different things, but it’s always in the security section. Turn it on.

When it asks you to choose a method, pick text message. That’s it. You’re done.

Is an authenticator app technically more secure than text messages? Yes. But I’ve watched people stall for weeks trying to figure out authenticator apps, and during those weeks they had no 2FA at all. Text message 2FA stops the vast majority of attacks. Set it up now and upgrade later if you want to. Don’t let perfect be the enemy of protected.

While you’re in there — check who else has been logging in

Every major email provider shows you a list of recent logins somewhere in the security settings. Look for “Recent activity,” “Your devices,” or “Where you’re signed in.” Take 60 seconds to scroll through it.

You’re looking for anything you don’t recognize. A device you’ve never owned. A city you’ve never visited. A login at 3am when you were asleep.

If you see something that doesn’t belong, change your password immediately and look for the option to sign out of all other sessions. You may have just caught an intruder — and catching it is what matters.

Check whether your information is already out there

Here’s something most people don’t realize: there’s a good chance your email address and at least one of your old passwords are already floating around the internet. Not because you did anything wrong — because companies you trusted got hacked.

LinkedIn was breached. Adobe was breached. Dropbox, MyFitnessPal, Canva, Marriott — the list goes on. When these companies got hacked, the usernames and passwords of millions of users were stolen and eventually published in databases that attackers share and search through. If you had an account on any of these services, your credentials may be in those databases right now.

There’s a free, trusted tool for checking this. Search the web for “Have I Been Pwned” — it’s run by Troy Hunt, a well-known security researcher. It’s not a company trying to sell you anything. Enter your email address and it tells you whether your information appeared in any known data breaches.

When your results come up (and for most people, there will be results), don’t panic. Being listed in a breach doesn’t mean someone has hacked your accounts. It means the potential is there, and now you’re going to close that door.

For each breach listed, ask yourself: do I still use the same password I used on that site? If yes — and especially if you used that same password on other sites — that’s the real danger. Attackers take leaked password databases and try those passwords on banks, email providers, and shopping sites. It’s called credential stuffing, and it works shockingly often because people reuse passwords.

Change any passwords that match leaked ones. Prioritize your email, your bank, and anything connected to money.

Protect the accounts that matter most

You probably have dozens of online accounts. You don’t need to secure all of them today. You need to secure the ones where the consequences of a breach would actually hurt.

Think about it in terms of damage:

If someone got into your bank account, they could drain it. High priority.

If someone got into your IRS or Social Security account, they could file a tax return in your name or open credit lines in your identity. High priority.

If someone got into your Amazon account, they could order things on your card or access your address and payment history. That matters.

If someone got into the random cooking forum you signed up for in 2014, honestly, the damage is limited.

Start with the high-damage accounts: your bank, PayPal or Venmo if you use them, your Apple ID or Google account, your health insurance portal, and any government accounts.

For each one, use the same pattern you just learned: find the security settings (profile icon > account/settings > security), set a unique password, and turn on 2FA. You now know how to find these settings on any site. Most banks and financial services support 2FA — it’s almost always in the security section.

The password problem (and the real solution)

I know what you’re thinking: “You want me to have a different password for every account? I can barely remember the three I have now.”

You’re right. That’s an unreasonable thing to ask a human brain to do. It’s not a discipline problem — it’s a math problem. You have too many accounts for unique passwords to be memorizable. This is why password managers exist, and they’re the single most underrated security tool available to normal people.

A password manager is an app that stores all your passwords in an encrypted vault on your phone and computer. You remember one master password — the one that opens the vault — and the manager handles everything else. When you need to log into a site, it fills in the password for you. When you create a new account, it generates a long, random password that no human could guess and no attacker could crack.

Here’s the part people don’t expect: it actually makes your life easier, not harder. No more forgot-password emails. No more trying to remember which version of your password you used. No more typing passwords at all — it fills them in for you automatically.

I recommend looking at Bitwarden — it’s free, works on every device, and it’s open-source, meaning security researchers can verify it does what it claims. If you’re in the Apple ecosystem, Apple Keychain is built into your iPhone and Mac and works well. Google Password Manager is solid if you live in Chrome and Android. Search for any of these by name and you’ll find them.

But here’s the thing that makes password managers secretly brilliant in the age of AI scams: a password manager is also a phishing detector. When you land on a phishing site — say, amazon-accounts.com instead of amazon.com — your password manager won’t offer to fill in your Amazon credentials. Because it knows that’s not Amazon. That moment where you reach for your password and it’s not there? That’s the manager telling you something is wrong. It catches AI-generated phishing sites just as effectively as sloppy ones, because it doesn’t evaluate how the page looks — it checks the actual domain.

Our password guide walks through setting one up step by step.

Lock down your phone

Your phone is probably the most valuable thing you own, and I don’t mean the hardware. I mean what’s on it. Your email. Your banking app. Your photos. Your text messages. Every account you’re logged into. If someone picks up your unlocked phone, they have access to your entire life.

Screen lock

If your phone doesn’t lock automatically, fix that right now. Use face recognition or fingerprint if your phone supports it — it’s both more secure and more convenient than a PIN. If you use a PIN, make it at least 6 digits and not something guessable (1234, 000000, your birth year — attackers try all of these first).

Set your phone to lock after 30 seconds to one minute of inactivity. I know it means unlocking it more often. That’s the cost of making your phone useless to anyone who picks it up while you’re in the bathroom at a coffee shop.

Software updates

People put these off, and I want to explain why you shouldn’t. Software updates aren’t just new features — they patch security holes that attackers are actively exploiting. When Apple or Google releases a security update, there’s usually a vulnerability that’s already been discovered (sometimes by attackers first) and the update closes the door on it. Every day you delay, that door stays open.

On your phone, go to Settings and search for “Software Update.” On iPhone it’s usually under General. On Android it varies by manufacturer, but searching within Settings always works. Install whatever’s waiting, then turn on automatic updates so this takes care of itself going forward.

App permissions

Take 90 seconds to review which apps have access to your camera, microphone, contacts, and location. On your phone, go to Settings and look for “Privacy” or “Privacy & Security.”

You’ll probably find apps with permissions they don’t need. A weather app doesn’t need your contacts. A flashlight app doesn’t need your microphone. A calculator definitely doesn’t need your location. Revoke anything that doesn’t make sense for what the app actually does. If a free utility is asking for a lot of permissions, it may be harvesting your data — which is its own kind of scam.

Find My Phone

Turn this on now so you don’t have to think about it later. If your phone is ever lost or stolen, this lets you locate it on a map, lock it remotely, or wipe it entirely.

On your phone, go to Settings and search for “Find My” (iPhone) or “Find My Device” (Android). Turn it on. It takes 30 seconds and could save you from a catastrophic data exposure.

What you just did

You secured the one account that controls all the others. You checked whether your information was already exposed. You protected the accounts where a breach would actually cost you money or your identity. You locked down the device that holds the keys to everything.

But more importantly, you learned a pattern that works everywhere: find the security settings, set a unique password, turn on two-factor authentication. That pattern applies to every account you’ll ever create, on every platform, no matter how the menus change or the interfaces get redesigned. You don’t need to come back here and follow links — you know what to look for now.

The habits that keep it going

Security isn’t a one-time event. But the ongoing maintenance is light — it’s just a few reflexes.

The daily reflex: When you get an unexpected message about one of your accounts — a text about a charge, an email about suspicious activity, a call from “your bank” — don’t click the link or call the number in the message. Open the app yourself, or type the website address yourself, or call the number on the back of your card. This one habit defeats the majority of phishing attacks, including AI-generated ones that look perfect.

The monthly check: Glance at your bank and credit card statements for charges you don’t recognize. Most people who catch fraud early catch it this way — not through alerts, but by actually looking.

When something feels wrong: Trust that feeling. Then come here:

Go further