🔐 Account Security
1. Passwords
Use a password manager. Never reuse passwords.
▼
Use strong, unique passwords
If a hacker gets one password, they try it everywhere. Every account needs its own unique password.
A strong password is:
- Long — at least 16 characters
- Random — not a word, name, or birthday
- Unique — never reused across sites
Nobody can remember 100 unique passwords. That's why you need a password manager.
Recommended password managers
Bitwarden Free
1Password
Apple Passwords Free
📱 iPhone walkthrough
How to set up Apple Passwords on your iPhone Coming soon
Settings → Passwords → enable AutoFill → start saving passwords
Safely sharing passwords (Netflix, Spotify, etc.)
- Use a password manager's sharing feature. 1Password and Bitwarden both support shared vaults.
- Use the service's family plan. Netflix, Spotify, and YouTube all offer family plans.
- If you must share manually, use a self-destructing link like onetimesecret.com.
❌ Don't
- ❌ Use your name, birthday, or "password123"
- ❌ Reuse the same password on multiple sites
- ❌ Share passwords via text or email
- ❌ Store passwords on sticky notes or in Notes
✅ Do
- ✅ Let a password manager generate & save them
- ✅ Use a unique password per account
- ✅ Share via a shared vault or self-destructing link
- ✅ Lock your phone with Face ID / fingerprint / PIN
2. Multi-Factor Authentication (MFA)
Add a second lock to your accounts. Passkeys > authenticator app > SMS.
▼
What is it?
MFA adds a second step when logging in. Even if someone steals your password, they can't get in without this second factor. Think of it as a deadbolt on top of your door lock.
Three types compared
| Method | How it works | Security | Ease |
|---|---|---|---|
| Passkeys | Face, fingerprint, or device PIN. No code to type. | Best | Easiest |
| Authenticator app | 6-digit code that changes every 30 seconds. | Very good | Good |
| SMS codes | Code sent via text message. | Weakest | Easiest |
Recommended authenticator apps
Google Authenticator
Microsoft Authenticator
Apple Passwords
Authy
Why SMS is the weakest: Attackers can hijack your phone number through "SIM swapping." Authenticator apps and passkeys are tied to your physical device, not your phone number.
Where to enable MFA in popular apps
| App | Where to find it |
|---|---|
| Gmail | Google Account → Security → 2-Step Verification |
| Settings → Accounts Center → Password & Security → Two-factor authentication | |
| Settings → Accounts Center → Password & Security → Two-factor authentication | |
| TikTok | Profile → Menu → Settings → Security → 2-step verification |
| YouTube | Managed via your Google Account (same as Gmail) |
📱 iPhone walkthrough
How to enable 2FA on Instagram Coming soon
Settings → Accounts Center → Password & Security → Two-factor authentication
a) Got a new iPhone? How to transfer your authenticator app
If you use Google Authenticator:
1Open Google Authenticator on your old phone.
2Tap the menu (⋯) → "Transfer accounts" → "Export accounts".
3Scan the QR code with Google Authenticator on your new phone.
4Verify all accounts appear, then delete from the old phone.
If you use Apple Passwords, codes sync automatically via iCloud.
b) Personal vs. work authenticator apps
Keep them separate. Your employer can remotely wipe a work authenticator — if your personal codes are in the same app, you could lose access to your own accounts.
Work: Microsoft Authenticator
Personal: Google Authenticator
c) Your phone is stolen — what now?
⚠️ If you lose your phone and didn't back up your authenticator, you can get permanently locked out of your accounts. Set up cloud backup now, before it happens.
Before it happens (do this now):
- Save your recovery codes when you enable MFA.
- Use an authenticator with cloud backup (Authy, Apple Passwords, or Google Authenticator with sync).
- Enable Find My iPhone.
After it happens:
- Use Find My iPhone to lock and erase the stolen phone.
- Use your recovery codes to log in.
- Set up MFA again on your new device.
- Change passwords for email and banking.
❌ Don't
- ❌ Rely on just a password
- ❌ Use SMS as your only second factor
- ❌ Mix work and personal in one authenticator
✅ Do
- ✅ Use passkeys wherever available
- ✅ Use an authenticator app for everything else
- ✅ Enable cloud backup in your authenticator
3. Recovery Codes
Your emergency backup keys. Save them before you need them.
▼
What are recovery codes?
One-time-use backup codes (usually 8-10) that let you log in if you lose your phone or authenticator app. They're your safety net.
Where to save them
| Option | Safe? |
|---|---|
| Printed and stored in a safe place at home | ✅ Yes |
| In a password manager (1Password, Bitwarden) | ✅ Yes |
| In a locked note on your phone + laptop | ✅ Decent |
| Screenshot saved only on your phone | ⚠️ Risky |
| In your email inbox | ❌ No — if hacked, exposed |
| Nowhere ("I'll remember") | ❌ Never |
❌ Don't
- ❌ Save them in your email inbox
- ❌ Screenshot and leave in camera roll
- ❌ Skip saving them — "I'll do it later"
✅ Do
- ✅ Store in your password manager
- ✅ Print and keep in a safe or locked drawer
- ✅ Save immediately when you enable MFA
🚨 Staying Alert Online
4. Keep Your Software Updated
Updates patch security holes. Turn on auto-update everywhere.
▼
When you see "update available", that often means a vulnerability has been disclosed and attackers are already scanning for unpatched devices.
📱 iPhone walkthrough
How to turn on automatic updates on iPhone Coming soon
Settings → General → Software Update → Automatic Updates
❌ Don't
- ❌ Click "Remind me later" for weeks
- ❌ Keep apps you never use
- ❌ Run outdated browsers
✅ Do
- ✅ Turn on automatic updates everywhere
- ✅ Restart after updates to activate them
- ✅ Delete unused apps to reduce risk
5. Spot a Phishing Attack
Fake messages that steal your login. Learn the red flags.
▼
Phishing = a fake message pretending to be from a trusted company to steal your login or money. It's the #1 way people get hacked.
Red flags
- ❌ Urgent language: "Your account will be closed in 24 hours!"
- ❌ Sender email doesn't match the company (e.g. [email protected])
- ❌ Links go to weird URLs — hover before clicking!
- ❌ They ask for your password, credit card, or 2FA code — real companies never do this
What to do
- ✅ Don't click — go directly to the website by typing it yourself
- ✅ Report phishing emails (Gmail: three dots → "Report phishing")
- ✅ When in doubt, call the company directly
Passkeys protect you from phishing. Even on a fake website, passkeys won't work on the wrong domain — the login simply fails.
🌐 Network & Connection
6. Public Wi-Fi and VPNs
Public Wi-Fi is risky. Use a VPN to encrypt your connection.
▼
Attackers can set up fake Wi-Fi networks and intercept your traffic. A VPN encrypts everything between your device and the internet.
Recommended VPNs
Mullvad
ProtonVPN Free tier
IVPN
❌ Don't
- ❌ Use public Wi-Fi without a VPN
- ❌ Auto-join open networks
- ❌ Use free VPNs — they sell your data
✅ Do
- ✅ Use Mullvad, ProtonVPN, or IVPN
- ✅ Verify Wi-Fi names with staff first
- ✅ Disable auto-join for public networks
🛡 Device Protection
7. Device Encryption
Scrambles your data so thieves can't read it. Already on by default on iPhone.
▼
How to enable it
- iPhone/iPad: Already encrypted by default with a passcode.
- Mac: System Settings → Privacy & Security → FileVault → Turn On.
- Windows: Settings → Privacy & Security → Device Encryption (or BitLocker).
Encrypted messaging
Signal
iMessage
WhatsApp
Regular SMS is not encrypted and can be intercepted. Use these apps for private conversations.
❌ Don't
- ❌ Leave FileVault / BitLocker off
- ❌ Use SMS for sensitive conversations
- ❌ Forget to save your recovery key
✅ Do
- ✅ Enable FileVault (Mac) or BitLocker (Windows)
- ✅ Save recovery key in your password manager
- ✅ Use Signal, iMessage, or WhatsApp
8. Backups
The 3-2-1 rule: 3 copies, 2 storage types, 1 offsite.
▼
Ransomware encrypts your files and demands payment. A good backup means you can wipe and restore without paying a cent.
The 3-2-1 rule
- 3 copies of your data
- 2 different types of storage
- 1 copy offsite (iCloud, Backblaze)
❌ Don't
- ❌ Keep files on only one device
- ❌ Assume cloud sync = backup
- ❌ Pay ransomware — just restore
✅ Do
- ✅ Follow 3-2-1: 3 copies, 2 types, 1 offsite
- ✅ Use Time Machine (Mac) or File History (Win)
- ✅ Add cloud backup (iCloud, Backblaze)
🌐 Network & Connection
9. Custom DNS
Stop your ISP from tracking every website you visit.
▼
Recommended DNS providers
| Provider | Address | Bonus |
|---|---|---|
| Cloudflare | 1.1.1.1 | Fastest, privacy-focused |
| Quad9 | 9.9.9.9 | Blocks malware domains |
| NextDNS | Custom | Configurable ad/tracker blocking |
📱 iPhone walkthrough
How to set up Cloudflare DNS on iPhone Coming soon
Download the free 1.1.1.1 app → tap to enable → done
❌ Don't
- ❌ Use your provider's default DNS
- ❌ Use random "free DNS" services
✅ Do
- ✅ Switch to Cloudflare, Quad9, or NextDNS
- ✅ Install the 1.1.1.1 app for easy setup
🕵 Digital Identity
10. Privacy Audit
Review app permissions, check for data leaks, clean up old accounts.
▼
Checklist
- Review app permissions — does that flashlight app really need your contacts?
- Run Google's privacy checkup at myaccount.google.com/privacycheckup
- Set social profiles to private and remove your phone number
- Delete old accounts you no longer use
- Use a privacy browser — Firefox, Brave, or Safari
Check if your data has been leaked: Visit haveibeenpwned.com and enter your email address.
❌ Don't
- ❌ Give apps unnecessary permissions
- ❌ Keep old unused accounts around
- ❌ Leave social profiles fully public
✅ Do
- ✅ Revoke unneeded app permissions
- ✅ Run Google's privacy checkup
- ✅ Check haveibeenpwned.com for leaks
11. Email Aliases
Use fake forwarding addresses so your real email stays private.
▼
Aliases are unique forwarding addresses that all deliver to your main inbox. If one gets spam, disable it.
Options
Hide My Email iCloud+
SimpleLogin Free
Firefox Relay
❌ Don't
- ❌ Give every site your real email
- ❌ Use one email for everything
✅ Do
- ✅ Use Hide My Email or SimpleLogin
- ✅ Create a unique alias per service