How to Secure Your Online Accounts

Most articles about how to secure your online accounts read like a homework assignment from a paranoid uncle. Twenty steps, a YubiKey on every finger, a separate browser for each website. You do not need that. The honest truth is that 99% of real account compromises in 2026 come from a tiny set of attacks, and a 30-minute setup defends against almost all of them. Here is the version that fits in a coffee break.

The threat that actually matters: credential reuse

Most people do not get hacked because a hacker targeted them personally. They get hacked because some website they signed up for in 2017 leaked its database, and the same password was used on their email. The single largest reduction in personal risk you can make is to never reuse a password on more than one site, ever. That is it. That is the headline.

Step 1 — Install a password manager (10 minutes)

Pick one and commit. The two reasonable choices in 2026:

• Bitwarden — free for the basics, €10 / year for premium. Open source, runs everywhere, syncs across devices. The default recommendation for almost everyone.
• 1Password — paid, polished, slightly nicer family sharing. The default recommendation if your spouse or roommate refuses to use anything that "looks like a tech thing."

Install the desktop app and the browser extension. Set a strong master password — a string of four random words is far better than a password with symbols and numbers. Write the master password on paper and put it somewhere safe. If you forget it, no one can recover it for you.

Step 2 — Replace the passwords on your top five accounts (10 minutes)

Do not migrate every account today. Start with the ones whose compromise would ruin your week:

1. Your primary email (Gmail, iCloud, Outlook). This is the master key.
2. Your bank.
3. Your phone carrier (the SIM swap attack starts here).
4. Your government / tax portal.
5. Your password manager itself.

For each, generate a fresh password in the manager (let it pick — 20+ characters, random) and update the account. Test logging in once with the new password. Done.

The remaining accounts can be migrated as you encounter them in normal use over the next month. There is no need to do them in one heroic afternoon.

Step 3 — Turn on two-factor authentication (10 minutes)

This defeats the second-largest attack: someone has your password but not your phone. Three flavours, in order of strength:

Best: a hardware key (YubiKey or equivalent)

€30–€60 once. Plug it into USB, tap it when prompted. The strongest 2FA you can have. Worth it for your email, your password manager, and your most sensitive accounts. Buy two — keep the second in a drawer at home as a backup so a lost key does not lock you out.

Good: an authenticator app

Aegis (Android) or Raivo/2FAS (iOS) are the simple, free, encrypted-backup-friendly choices. Avoid Google Authenticator unless you enjoy losing every code when you change phones. Most websites support TOTP codes; turn them on for everything that supports them.

Acceptable, with reservations: SMS

SMS-based 2FA is better than nothing but vulnerable to SIM-swap attacks. If a service offers no other option, use it. If it offers an authenticator app, prefer that.

Step 4 — Lock down your email (5 minutes)

Your primary email is the recovery point for almost every account you own. Treat it like the master key it is.

• Strong, unique password (already done in step 2).
• Hardware key or authenticator-app 2FA on the account.
• Review the "third-party app access" page and revoke anything you do not recognise. Most people have ten dormant apps from a decade ago still authorised.
• Enable login alerts if your provider supports them.
• Add a recovery phone number you actually still own. The number of accounts permanently lost because the recovery number was a 2014 SIM card is staggering.

Step 5 — Sweep the obvious risk surface (5 minutes)

• Check haveibeenpwned.com with your main email. It will tell you which historical breaches you appeared in. Treat the results as a to-do list — change those passwords, rotate the relevant 2FA, move on.
• Browser autofill of credit cards. Disable saving full card numbers in your browser. Use the password manager's secure-note feature, or your bank's virtual-card feature instead.
• Old social media accounts. Delete the ones you do not use. Each one is a phishing or impersonation surface.

What is not worth your time

The internet's security advice is full of homework that costs hours and reduces real risk by single-digit percentages.

• Changing all your passwords every 90 days. Old, debunked advice. With unique strong passwords already in place, rotation creates more risk (people choose simpler passwords to remember them) than it removes.
• Custom DNS, encrypted DNS providers, weird VPNs that "increase security." Marginal at best, often a step backwards if the provider is sketchy.
• Browser fingerprint spoofing. Useful in narrow cases. Mostly a placebo.
• Keeping a Faraday cage in your hallway for your phone. If you genuinely think this is your threat model, you are not reading a generalist blog about it.

What to do after a breach announcement

Three steps, in this order:

1. Change the password on that specific service. Use the manager.
2. If you reused that password anywhere else (you should not have, but check), change those too.
3. If financial data was involved, set fraud alerts with your bank and watch transactions for 30 days.

Do not panic, do not buy seven new privacy services. The boring response is the right response.

Bottom line

Securing your online accounts in 2026 is not a hobby. It is a 30-minute setup followed by occasional housekeeping. Get a password manager. Turn on 2FA on the accounts that matter. Lock down your email. Stop reusing passwords. That single hour of work moves you from the bottom 50% to the top 5% of online security hygiene without ever turning your life into a permanent privacy project.