Online security is a constant battle. With passwords, biometrics, and authentication tools evolving daily, how do you secure your accounts without losing your mind? I’ve spent years refining my personal cybersecurity strategy to secure online accounts through trial and error. While everyone’s threat model is different, this general framework of account security is yours to steal and build upon for your own account security.
Key Takeaways
- Don’t Put All Your Eggs in One Basket: Diversify your security measures.
- Use 2FA Where Available: Make it a habit to use 2FA whenever possible.
- Utilize Physical Security Keys: For sensitive accounts, use a physical key for added security.
- Establish Proper Backups: Keep your backup codes in a secure place, separate from your passwords.
Now, let me show you the online security strategy you can use to lock down your accounts, each building on top of the last.
Note: Some of the links in this article may be affiliate links, which means that at no extra cost to you, I may be compensated if you choose to use one of the services listed. I only recommend what I personally have used, and I appreciate your support!
1. DO NOT Put All Security Eggs in One Basket
By default, many people trust one company (Google, Apple, Microsoft) to manage all of their logins, passwords, and authentication.
This might seem convenient, but it’s very dangerous. If that company has any kind of security breach, it could expose all your login credentials, authentication data, and sensitive information in one swoop.
This is why relying on a single ecosystem for all security functions (i.e. using Google for your email, password storage, authentication, and cloud storage) is a serious vulnerability.
I don’t want any single company to hold too much control over my information and security.
Cybersecurity Strategy Takeaway:
- Use a good password manager instead of a built-in browser or OS-based password manager.
- Use a separate authentication app instead of Google authentication.
- Store sensitive documents on a separate cloud storage provider rather than keeping everything with one company.
A security breach at one company should not be able to bring down your entire digital life.
2. Create Separate & Distinct Security Powers
Even if you don’t put all your security tools in one place, you may still be making it too easy for hackers by keeping all your credentials in a single access point.
For example, if you store both your passwords and 2-Factor Authentication codes inside the same password manager, you are making it easier for an attacker to compromise multiple layers of security at once.
I’ll admit I break this rule for certain low-risk accounts like streaming services or loyalty rewards programs. But when it comes to sensitive accounts, I store authentication codes separately.
Cybersecurity Strategy Takeaway:
- Use a password manager for passwords but store sensitive 2FA backup codes in a separate location.
- Do not use the same email provider and password manager. If a hacker breaches one, they should not gain access to the other.
- Keep separate work and personal security systems. Avoid using personal authentication apps or password managers for work accounts.
By distributing your security tools across different platforms, you minimize the risk of a single attack compromising everything.
3. Use Unique & Strong Passwords for Each Account
Passwords are still the first line of defense for most accounts, yet most people continue to use weak or reused passwords.
When a company suffers a data breach, hackers gain access to millions of stolen credentials. They use these credentials to launch credential stuffing attacks, where they attempt to log in to multiple sites using leaked usernames and passwords.
If you reuse passwords, one leaked credential could compromise dozens of your accounts.
Cybersecurity Strategy Takeaway:
- Use a password manager to generate and store 15+ character passwords for every account. Personally, I use 1Password on a daily basis, and I’ve been a happy customer for years. I wrote a detailed review of 1Password, where I explain how I use it to generate and store secure passwords.
- If you must store passwords manually, keep them offline and securely stored.
- Change passwords immediately for any account that has been involved in a known data breach.
Long, unique passwords are one of the easiest ways to improve security, and a password manager makes them practical to use.
4. When Offered, ALWAYS Enable 2FA
Even the best password is useless if an attacker manages to steal it. Two-factor authentication (2FA) adds an extra layer of security by requiring a second form of verification when logging in.
But not all 2FA methods are equal. The weakest form is SMS-based 2FA, which can be intercepted through SIM-swapping attacks.
Cybersecurity Strategy Takeaway:
- Enable 2FA on every account that supports it.
- Use authenticator apps (such as Google Authenticator, Authy, or Aegis) instead of SMS.
- The most secure method of 2-factor authentication is the security key. More on that in the next section.
2FA makes account takeovers significantly more difficult. Without it, a stolen password is all a hacker needs to log in.
5. If 2FA Keys are Supported, Use It!
Two-factor authentication apps are a major upgrade from SMS-based security, but they still have one flaw they rely on codes that can be intercepted through phishing attacks.
A physical security key is the strongest form of account security because it requires physical possession of the key to log in. Even if a hacker steals your password and tricks you into providing an authentication code, they still won’t be able to access your account without the physical key.
Cybersecurity Strategy Takeaway:
- Use security keys (like YubiKey) for high-risk accounts such as email, banking, and cloud storage.
- Always set up both a primary and a backup key in case one is lost.
- Prioritize services that support security keys as a login method.
For accounts that support them, security keys provide the highest level of protection available. This is how to setup a 2FA security key ( Yubikey Tutorial)
6. Use Email Aliases for New Accounts Created
Most people use one email address for everything, but this creates a single point of failure.
If a hacker gets access to your email, they can use password reset links to access your accounts. Additionally, leaked email addresses make targeted phishing attacks easier.
Cybersecurity Strategy Takeaway:
- Use email aliases to create a unique email for each new account.
- Services like SimpleLogin, ProtonMail, or Apple’s “Hide My Email” generate email aliases automatically. If you want to explore different options, I compiled this list of the best services to protect your email privacy.
- Avoid using your primary email for logins reserve it for trusted contacts only.
Email aliases reduce spam, protect privacy, and prevent phishing attacks.
BONUS: Protecting Against Cybersecurity Threats
As I continue to refine my security strategy, I’ve identified a few additional laws worth considering:
Enable Biometric Lock on Apps
Lock down your apps and device with the best security available. If an app supports fingerprint or face recognition, turn it on. If not, set a strong, unique PIN.
Also, protect your mobile device by setting up a secure password, enabling data encryption, and using safe Wi-Fi connections. These steps help keep your personal information safe from hackers and other security threats.
Use a Virtual Number for SMS Codes
If you need to receive SMS codes, consider using a virtual number instead of your primary phone number.
Virtual phone services offer privacy and anonymity by allowing you to verify accounts, receive calls/texts, and communicate without revealing your real phone number.
I’ve put together a list of the best virtual phone number apps you may use to receive verification codes for account authentication to keep things private and minimize annoyance. Personally, I found Hushed to be the best in terms of user experience for phone verification.
Consider Passkey Options
Passkeys are gaining attention as a new way to secure accounts, but are they truly the ultimate solution? While they offer better security than just a password alone, they’re not foolproof.
If I were to rank account security from weakest to strongest, it would go:
- Password only
- Password with SMS or authenticator codes
- Passkeys
- Password + a physical security key.
In my view, physical security keys remain the gold standard because they can’t be easily copied or stolen. So, should you use a passkey? If an account doesn’t support physical security keys but does allow passkeys, though there aren’t many in this category, then sure, a passkey is a solid choice.
How Secure Is Your Online Presence?
Most people don’t get hacked because they were targeted; they get hacked because they were easy to compromise. By following these security laws, you can make it significantly harder for hackers to access your accounts.
Which of these security strategies are you already using? Are there any that you need to improve? Take the time to review your security setup today because once an account is compromised, it’s often too late to fix the damage.
