How to Secure Your Online Accounts: 15 Essential Steps

How to Secure Your Online Accounts: 15 Essential Steps — Mahi Info Tech

Most people are one leaked password away from losing their email, and losing your email means losing almost everything else. This guide covers how to secure your online accounts properly — not a vague list of tips, but fifteen concrete steps in the order that actually matters, from the one change that eliminates an entire class of attack to the persistence checks that almost everyone forgets. It is the practical account-security playbook of Mahi Info Tech.

Start With the Right Mental Model

Before the steps, understand the shape of the threat, because it determines the priorities. Attackers rarely target you personally. They operate at scale: they buy a database of email addresses and passwords leaked from some site that got breached, and they try those combinations automatically across hundreds of other services. This is called credential stuffing, and it is the reason password reuse is catastrophic rather than merely untidy.

The second thing to understand is that your email is the master key. Almost every other account can be reset through it. An attacker who owns your email owns your bank, your social media and your cloud storage — not because they cracked those, but because they clicked “forgot password” on each one. Secure your email first, always, and secure it hardest.

Step 1: Get a Password Manager

This is the highest-value action available to you and everything else is secondary. A password manager generates a long, random, unique password for every single site and remembers them for you. You memorise one strong master password and nothing else, ever again.

This single change eliminates credential stuffing entirely. A breach at a forum you forgot you joined can no longer cascade into your bank account, because the passwords have nothing in common. It also removes the exhausting mental tax of inventing and recalling passwords, which is the real reason people reuse them in the first place.

Any reputable manager works. What matters far more than the brand is that you actually use it for everything rather than keeping a handful of “important” passwords in your head, where they will inevitably drift back toward reuse.

Step 2: Make Your Master Password Strong

Since it is the one password you must remember, make it count. Length beats complexity: a passphrase of four or five unrelated words is far stronger and far easier to recall than a short string of symbols. Something like copper-lantern-drift-oyster is enormously more secure than P@ssw0rd!, and you will actually remember it.

Never reuse the master password anywhere else, and never store it in a browser or a note. Write it on paper and keep it somewhere physically safe if you must — a piece of paper in your home is a far smaller risk than reuse.

Step 3: Turn On Two-Factor Authentication

Two-factor authentication means an attacker with your password still cannot get in. Enable it everywhere it is offered, and prioritise in this order: email first, then banking and payments, then cloud storage, then social media, then everything else.

Not all second factors are equal:

Method Security Notes
Passkey / hardware key Strongest Phishing-resistant — cannot be used on a fake site
Authenticator app Strong Codes generated on-device, no network needed
Push notification Good Vulnerable to approval-fatigue spam
SMS code Weakest Vulnerable to SIM-swap, but far better than nothing

If SMS is the only option a service offers, use it. Weak 2FA still defeats the automated attacks that make up the vast majority of account takeovers.

Step 4: Adopt Passkeys Where You Can

Passkeys are the most meaningful security improvement in years. Instead of a password, your device holds a cryptographic key that is mathematically bound to the real website’s domain. You authenticate with your fingerprint or face, and the key simply will not work on a fake site — not because you might notice the fake, but because it is cryptographically impossible.

That makes passkeys phishing-resistant by design, which no password and no code-based 2FA can claim. Wherever a service offers a passkey, take it. This is the direction the entire industry is moving, and adopting early costs you nothing.

Step 5: Audit Your Recovery Options

Here is the step almost everyone skips, and it is the one attackers exploit to keep access after you think you have locked them out.

Go into each important account and look at the recovery settings. Is there a recovery email address you do not recognise? A phone number that is not yours? An old address you no longer control? Any of these is a permanent back door. An attacker who briefly had access will add their own recovery email, then wait — and when you change your password, they simply reset it again through the recovery route you never checked.

Remove anything unfamiliar. Make sure your recovery email is itself an account with strong protection, because a weakly-protected recovery address undermines everything you have built on top of it.

Step 6: Check for Mail Forwarding Rules and App Passwords

Two more persistence mechanisms hide in your email settings. A forwarding rule silently sends copies of your incoming mail to an attacker — including every password reset link — and it survives a password change untouched. An app password is a separate credential that bypasses your 2FA entirely; if an attacker created one, your new password and your authenticator do nothing to stop them.

Open your email settings now and check both. Delete any forwarding rule or filter you did not create, and revoke every app password you do not actively need. This takes three minutes and is one of the most valuable things in this guide.

Step 7: Review Connected Third-Party Apps

Over the years you have almost certainly clicked “Sign in with Google” or “Continue with Facebook” on dozens of services, granting each one standing access to some of your data. Many are long dead; some were never trustworthy. Every one is a potential route in.

Find the “connected apps” or “third-party access” section of your major accounts and revoke everything you do not currently use and recognise. If revoking something breaks a service you actually need, you can simply reconnect it — the cost of being aggressive here is very low.

Step 8: Find Out Where You Have Been Breached

Your credentials are almost certainly in a public breach dump already; that is simply the reality of using the internet for a decade. What matters is knowing which ones, so you can prioritise. Use a reputable breach-checking service to see which of your accounts have appeared in known leaks, then change those passwords first — and change them anywhere you reused them.

Step 9: Secure the Phone Itself

Your phone now holds your authenticator codes, your email and your payment methods, which makes it the highest-value physical target you own. Use a strong passcode rather than a four-digit PIN. Enable biometric unlock on top of it. Turn on remote wipe so a lost device can be erased. Keep the operating system updated, and install apps only from the official store. Review app permissions periodically and revoke anything that makes no sense for what the app actually does.

Step 10: Keep Everything Updated

The overwhelming majority of successful compromises exploit vulnerabilities that were already patched. Attackers read the patch notes, build the exploit, and scan for people who have not applied it. Turn on automatic updates for your operating system, browser and phone, and stop deferring them.

Step 11 to 15: The Remaining Essentials

  1. Lock down your most important accounts with advanced protection. Major providers offer a stricter security mode for high-risk users, typically requiring hardware keys and disabling less secure access paths. If you have anything genuinely valuable, turn it on.
  2. Never approve a login prompt you did not initiate. Attackers spam approval requests, often in the middle of the night, until someone taps “yes” to make it stop. A prompt you did not trigger is an attack in progress — deny it and change your password.
  3. Be sceptical of urgency. Every social-engineering attack manufactures time pressure, because pressure prevents verification. Slow down precisely when someone is telling you not to. Our guide on what phishing is covers the tactics in detail.
  4. Back up your data. Security controls can all fail; a backup is what makes that failure survivable rather than terminal. See our full guide on how to back up your data.
  5. Reduce your attack surface. Close accounts you no longer use. Every dormant account is a place your data can leak from, and you will never notice when it does.

What to Do the Moment You Suspect a Breach

Order matters more than speed alone. Change the password from a device you trust, not the possibly-compromised one. Then immediately check the persistence points — recovery email, recovery phone, forwarding rules, app passwords, connected apps — because if you skip these, the attacker simply walks back in. Sign out of all sessions. Enable or strengthen 2FA. Secure your email before anything else, since it unlocks the rest. Then work outward to every account that shared the compromised password, and contact your bank if any financial account is involved.

Helping Others Secure Their Accounts

Once your own accounts are in order, the highest-value thing you can do is help the people around you, because attackers reliably target the least defended person in a network and work outward. Setting up a password manager for a family member, enabling two-factor authentication on their email, and turning on automatic updates takes an hour and removes them from the pool of easy targets permanently.

Just as important is the conversation. Explain that urgency is the universal signature of a scam, that no real organisation demands immediate action, and that any unexpected request for money, codes or credentials should be verified by contacting the organisation through a number or address they find themselves. Agree a simple family rule that unusual requests are always checked through a second channel. That single habit defeats the overwhelming majority of attacks aimed at ordinary people, and it costs nothing at all to adopt.

Quick Reference: Account Security Do’s and Don’ts

  • Do use a password manager — unique passwords everywhere is the single biggest win available to you.
  • Don’t reuse passwords — one forgotten forum breach then unlocks your entire digital life.
  • Do secure your email first — it is the master key that resets everything else.
  • Don’t skip the persistence check — forwarding rules and recovery emails survive a password change.
  • Do choose passkeys over passwords wherever they are offered — they cannot be phished.

Frequently Asked Questions

What is the single most important step?

Use a password manager so that every account has a long, unique, random password. This eliminates credential stuffing, which is how the majority of ordinary people actually get compromised. Enabling two-factor authentication on your email is the close second.

Are password managers safe?

Yes, and they are far safer than the realistic alternative, which is reusing passwords. Reputable managers encrypt your vault so that even the provider cannot read it. The risk of a manager is small and well-managed; the risk of password reuse is enormous and certain.

Is SMS two-factor authentication good enough?

It is much better than nothing and defeats most automated attacks, but it is the weakest option because SIM-swap attacks can intercept the codes. Prefer an authenticator app, and prefer a passkey or hardware key above that.

Why does my recovery email matter so much?

Because it can reset your main account. If an attacker adds their own recovery address, changing your password achieves nothing — they simply reset it again. Auditing recovery options is the step people most commonly skip and attackers most reliably exploit.

How often should I change my passwords?

Routine scheduled changes are outdated advice and tend to produce weaker, more predictable passwords. Change a password when there is a reason: a breach, a suspicion of compromise, or a password you know is reused. Otherwise, a long unique password can stay as it is.

Final Thoughts

Securing your accounts is not about paranoia or buying products. It comes down to a short list of decisive actions: unique passwords in a manager, strong two-factor authentication on your email above all, passkeys where you can get them, and a periodic audit of the recovery routes and forwarding rules that attackers use to stay inside long after you thought you had removed them. Attackers overwhelmingly pursue the easiest targets available. These steps take an afternoon, and they move you out of that category permanently.

Explore more security guides and practical technology tutorials across Mahi Info Tech, including our complete cybersecurity guide for the bigger picture.

Scroll to Top