🔐 Account Security
1. Passwords
Use a password manager. Never reuse passwords.
▼
Use strong, unique passwords
If a hacker gets one password, they try it everywhere. Every account needs its own unique password.
A strong password is:
- Long — at least 16 characters
- Random — not a word, name, or birthday
- Unique — never reused across sites
Nobody can remember 100 unique passwords. That's why you need a password manager.
Recommended password managers
Bitwarden Free
1Password
Apple Passwords Free
📱 iPhone walkthrough
How to set up Apple Passwords on your iPhone Coming soon
Settings → Passwords → enable AutoFill → start saving passwords
Safely sharing passwords (Netflix, Spotify, etc.)
- Use a password manager's sharing feature. 1Password and Bitwarden both support shared vaults.
- Use the service's family plan. Netflix, Spotify, and YouTube all offer family plans.
- If you must share manually, use a self-destructing link like onetimesecret.com.
❌ Don't
- ❌ Use your name, birthday, or "password123"
- ❌ Reuse the same password on multiple sites
- ❌ Share passwords via text or email
- ❌ Store passwords on sticky notes or in Notes
✅ Do
- ✅ Let a password manager generate & save them
- ✅ Use a unique password per account
- ✅ Share via a shared vault or self-destructing link
- ✅ Lock your phone with Face ID / fingerprint / PIN
2. Multi-Factor Authentication (MFA)
Add a second lock to your accounts. Passkeys > authenticator app > SMS.
▼
What is it?
MFA adds a second step when logging in. Even if someone steals your password, they can't get in without this second factor. Think of it as a deadbolt on top of your door lock.
Three types compared
| Method | How it works | Security | Ease |
|---|---|---|---|
| Passkeys | Face, fingerprint, or device PIN. No code to type. | Best | Easiest |
| Authenticator app | 6-digit code that changes every 30 seconds. | Very good | Good |
| SMS codes | Code sent via text message. | Weakest | Easiest |
Recommended authenticator apps
Google Authenticator
Microsoft Authenticator
Apple Passwords
Authy
Why SMS is the weakest: Attackers can hijack your phone number through "SIM swapping." Authenticator apps and passkeys are tied to your physical device, not your phone number.
Where to enable MFA in popular apps
| App | Where to find it |
|---|---|
| Gmail | Google Account → Security → 2-Step Verification |
| Settings → Accounts Center → Password & Security → Two-factor authentication | |
| Settings → Accounts Center → Password & Security → Two-factor authentication | |
| TikTok | Profile → Menu → Settings → Security → 2-step verification |
| YouTube | Managed via your Google Account (same as Gmail) |
📱 iPhone walkthrough
How to enable 2FA on Instagram Coming soon
Settings → Accounts Center → Password & Security → Two-factor authentication
a) Got a new iPhone? How to transfer your authenticator app
If you use Google Authenticator:
1Open Google Authenticator on your old phone.
2Tap the menu (⋯) → "Transfer accounts" → "Export accounts".
3Scan the QR code with Google Authenticator on your new phone.
4Verify all accounts appear, then delete from the old phone.
If you use Apple Passwords, codes sync automatically via iCloud.
b) Personal vs. work authenticator apps
Keep them separate. Your employer can remotely wipe a work authenticator — if your personal codes are in the same app, you could lose access to your own accounts.
Work: Microsoft Authenticator
Personal: Google Authenticator
c) Your phone is stolen — what now?
⚠️ If you lose your phone and didn't back up your authenticator, you can get permanently locked out of your accounts. Set up cloud backup now, before it happens.
Before it happens (do this now):
- Save your recovery codes when you enable MFA.
- Use an authenticator with cloud backup (Authy, Apple Passwords, or Google Authenticator with sync).
- Enable Find My iPhone.
After it happens:
- Use Find My iPhone to lock and erase the stolen phone.
- Use your recovery codes to log in.
- Set up MFA again on your new device.
- Change passwords for email and banking.
❌ Don't
- ❌ Rely on just a password
- ❌ Use SMS as your only second factor
- ❌ Mix work and personal in one authenticator
✅ Do
- ✅ Use passkeys wherever available
- ✅ Use an authenticator app for everything else
- ✅ Enable cloud backup in your authenticator
3. Recovery Codes
Your emergency backup keys. Save them before you need them.
▼
What are recovery codes?
One-time-use backup codes (usually 8-10) that let you log in if you lose your phone or authenticator app. They're your safety net.
Where to save them
| Option | Safe? |
|---|---|
| Printed and stored in a safe place at home | ✅ Yes |
| In a password manager (1Password, Bitwarden) | ✅ Yes |
| In a locked note on your phone + laptop | ✅ Decent |
| Screenshot saved only on your phone | ⚠️ Risky |
| In your email inbox | ❌ No — if hacked, exposed |
| Nowhere ("I'll remember") | ❌ Never |
❌ Don't
- ❌ Save them in your email inbox
- ❌ Screenshot and leave in camera roll
- ❌ Skip saving them — "I'll do it later"
✅ Do
- ✅ Store in your password manager
- ✅ Print and keep in a safe or locked drawer
- ✅ Save immediately when you enable MFA
🚨 Staying Alert Online
4. Keep Your Software Updated
Updates patch security holes. Turn on auto-update everywhere.
▼
When you see "update available", that often means a vulnerability has been disclosed and attackers are already scanning for unpatched devices.
📱 iPhone walkthrough
How to turn on automatic updates on iPhone Coming soon
Settings → General → Software Update → Automatic Updates
❌ Don't
- ❌ Click "Remind me later" for weeks
- ❌ Keep apps you never use
- ❌ Run outdated browsers
✅ Do
- ✅ Turn on automatic updates everywhere
- ✅ Restart after updates to activate them
- ✅ Delete unused apps to reduce risk
5. Spot a Phishing Attack
Fake messages that steal your login. Learn the red flags.
▼
Phishing = a fake message pretending to be from a trusted company to steal your login or money. It's the #1 way people get hacked.
Red flags
- ❌ Urgent language: "Your account will be closed in 24 hours!"
- ❌ Sender email doesn't match the company (e.g. support@appl3-help.com)
- ❌ Links go to weird URLs — hover before clicking!
- ❌ They ask for your password, credit card, or 2FA code — real companies never do this
What to do
- ✅ Don't click — go directly to the website by typing it yourself
- ✅ Report phishing emails (Gmail: three dots → "Report phishing")
- ✅ When in doubt, call the company directly
Passkeys protect you from phishing. Even on a fake website, passkeys won't work on the wrong domain — the login simply fails.
6. Scam Calls & Texts
Fake bank calls, fake deliveries, fake "it's me" texts. Hang up, don't click, call back yourself.
▼
Scammers increasingly call or text instead of emailing — pretending to be your bank, a delivery company, the tax office, or even a relative in trouble.
Common scams
| They say... | Red flag |
|---|---|
| "This is your bank's fraud team, we need to verify your card" | Banks never ask for your PIN, full card number, or 2FA code by phone |
| "Pay this fine immediately or face arrest" | Real authorities don't threaten arrest over the phone |
| "Click this link to reschedule your delivery" | Unexpected delivery texts with links are almost always fake |
| "It's me, I'm in trouble, send money" (unfamiliar number) | Always verify by calling the person back on their known number |
What to do
- Hang up, then call the company back using the number on their official website or the back of your card — never a number given to you during the call.
- Never share codes — one-time codes, PINs, or passwords should never be given over the phone.
- Slow down — urgency and fear are the scam working as intended.
Save your bank's real fraud line in your contacts now, before you ever need it.
❌ Don't
- ❌ Give codes, PINs, or passwords over the phone
- ❌ Call back a number given to you during the call
- ❌ Click links in unexpected delivery/bank texts
✅ Do
- ✅ Hang up and call the official number yourself
- ✅ Verify "it's me" messages with a phone call
- ✅ Report scam texts (forward to 7726 / "SPAM" in many countries)
🌐 Network & Connection
7. Public Wi-Fi and VPNs
Public Wi-Fi is risky. Use a VPN to encrypt your connection.
▼
Attackers can set up fake Wi-Fi networks and intercept your traffic. A VPN encrypts everything between your device and the internet.
Recommended VPNs
Mullvad
ProtonVPN Free tier
IVPN
❌ Don't
- ❌ Use public Wi-Fi without a VPN
- ❌ Auto-join open networks
- ❌ Use free VPNs — they sell your data
✅ Do
- ✅ Use Mullvad, ProtonVPN, or IVPN
- ✅ Verify Wi-Fi names with staff first
- ✅ Disable auto-join for public networks
🛡 Device Protection
8. Device Encryption
Scrambles your data so thieves can't read it. Already on by default on iPhone.
▼
How to enable it
- iPhone/iPad: Already encrypted by default with a passcode.
- Mac: System Settings → Privacy & Security → FileVault → Turn On.
- Windows: Settings → Privacy & Security → Device Encryption (or BitLocker).
Encrypted messaging
Signal
iMessage
WhatsApp
Regular SMS is not encrypted and can be intercepted. Use these apps for private conversations.
❌ Don't
- ❌ Leave FileVault / BitLocker off
- ❌ Use SMS for sensitive conversations
- ❌ Forget to save your recovery key
✅ Do
- ✅ Enable FileVault (Mac) or BitLocker (Windows)
- ✅ Save recovery key in your password manager
- ✅ Use Signal, iMessage, or WhatsApp
9. Backups
The 3-2-1 rule: 3 copies, 2 storage types, 1 offsite.
▼
Ransomware encrypts your files and demands payment. A good backup means you can wipe and restore without paying a cent.
The 3-2-1 rule
- 3 copies of your data
- 2 different types of storage
- 1 copy offsite (iCloud, Backblaze)
❌ Don't
- ❌ Keep files on only one device
- ❌ Assume cloud sync = backup
- ❌ Pay ransomware — just restore
✅ Do
- ✅ Follow 3-2-1: 3 copies, 2 types, 1 offsite
- ✅ Use Time Machine (Mac) or File History (Win)
- ✅ Add cloud backup (iCloud, Backblaze)
🌐 Safe Browsing & Shopping
10. Browser Security
Check for the padlock, block trackers, and don't trust "private mode" too much.
▼
Your browser is the door to almost everything you do online, so a few small habits go a long way.
Quick habits
- Check for the padlock / https:// before entering any password or payment info.
- Keep your browser itself updated — Chrome, Firefox, Safari, and Edge all patch security holes quickly.
- Install an ad/tracker blocker like uBlock Origin — it also blocks a lot of malicious ad-based scams.
| Myth | Reality |
|---|---|
| "Private/Incognito mode keeps me anonymous" | It only stops your browser saving history locally — your network, employer, or the websites you visit can still see you. |
❌ Don't
- ❌ Enter passwords on a page without https://
- ❌ Rely on incognito mode for privacy
- ❌ Ignore "Not Secure" browser warnings
✅ Do
- ✅ Look for the padlock before logging in
- ✅ Install uBlock Origin
- ✅ Keep your browser auto-updating
11. Safe Online Shopping
Spot fake shops before you pay, and use payment methods you can dispute.
▼
Fake online shops are designed to look real long enough to take your money and your card details.
Red flags
- Prices far too good to be true, with countdown timers pushing you to "buy now"
- Only a contact form — no real phone number or address
- A domain that was registered very recently
Pay safely
Prefer Apple Pay, Google Pay, PayPal, or a credit card over a debit card — these make disputing fraudulent charges much easier.
Check before you buy: search the shop's name plus "reviews" or "scam," and look up how old the domain is with a free WHOIS lookup. Brand-new domains running "huge sales" are a classic red flag.
❌ Don't
- ❌ Pay by bank transfer to an unfamiliar shop
- ❌ Ignore a missing phone number or address
- ❌ Rush because of a countdown timer
✅ Do
- ✅ Pay with a credit card or Apple/Google Pay
- ✅ Search "[shop name] scam" before buying
- ✅ Check how old the website's domain is
🌐 Network & Connection
12. Custom DNS
Stop your ISP from tracking every website you visit.
▼
Recommended DNS providers
| Provider | Address | Bonus |
|---|---|---|
| Cloudflare | 1.1.1.1 | Fastest, privacy-focused |
| Quad9 | 9.9.9.9 | Blocks malware domains |
| NextDNS | Custom | Configurable ad/tracker blocking |
📱 iPhone walkthrough
How to set up Cloudflare DNS on iPhone Coming soon
Download the free 1.1.1.1 app → tap to enable → done
❌ Don't
- ❌ Use your provider's default DNS
- ❌ Use random "free DNS" services
✅ Do
- ✅ Switch to Cloudflare, Quad9, or NextDNS
- ✅ Install the 1.1.1.1 app for easy setup
13. Router & Home Wi-Fi
Change the default password, use WPA2/WPA3, and put smart devices on a guest network.
▼
Your router is the front door to every device in your home — phones, laptops, smart TVs, cameras, and any "wifi button" style smart-home gadgets that connect to it.
Lock it down
- Change the default admin password — many routers ship with a password that's publicly known for that model.
- Use WPA2 or WPA3 encryption for your Wi-Fi network, and avoid the old, broken WEP standard.
- Put smart-home devices on a guest network so a compromised camera or plug can't reach your laptop or phone.
- Install firmware updates a few times a year — check your router app or admin page.
❌ Don't
- ❌ Leave the router's default admin password
- ❌ Mix smart-home gadgets onto your main network
- ❌ Skip firmware updates for years
✅ Do
- ✅ Set a unique admin password
- ✅ Use WPA2/WPA3 with a strong Wi-Fi password
- ✅ Create a separate guest network for IoT devices
🕵 Digital Identity
14. Privacy Audit
Review app permissions, check for data leaks, clean up old accounts.
▼
Checklist
- Review app permissions — does that flashlight app really need your contacts?
- Run Google's privacy checkup at myaccount.google.com/privacycheckup
- Set social profiles to private and remove your phone number
- Delete old accounts you no longer use
- Use a privacy browser — Firefox, Brave, or Safari
Check if your data has been leaked: Visit haveibeenpwned.com and enter your email address.
❌ Don't
- ❌ Give apps unnecessary permissions
- ❌ Keep old unused accounts around
- ❌ Leave social profiles fully public
✅ Do
- ✅ Revoke unneeded app permissions
- ✅ Run Google's privacy checkup
- ✅ Check haveibeenpwned.com for leaks
15. Email Aliases
Use fake forwarding addresses so your real email stays private.
▼
Aliases are unique forwarding addresses that all deliver to your main inbox. If one gets spam, disable it.
Options
Hide My Email iCloud+
SimpleLogin Free
Firefox Relay
❌ Don't
- ❌ Give every site your real email
- ❌ Use one email for everything
✅ Do
- ✅ Use Hide My Email or SimpleLogin
- ✅ Create a unique alias per service