Securing Your Online Accounts: Why It Matters and How to Do It Right 

Blog
Written By Sal Remtulla
A cursor on a screen hovering over the word security

Author: Samuel Watterson

Your online accounts are gateways to your digital life. They store personal information, financial data, and access to other important services. Unfortunately, they’re also vulnerable to attack. Considering the average person has 168 passwords, there is a high probability that some of those services have previously been compromised, and the credentials lost. Understanding how to secure your accounts is a critical part of modern cybersecurity and in this article, we examine the best way to approach this essential building block. 

The Real Value of Your Data 

Your online accounts contain a wide range of data that is valuable to cyber criminals. This includes personal identifiers such as your name, address, and date of birth, as well as high-risk financial information like debit/credit card details and bank account numbers. 

Beyond that, your accounts may hold sensitive communications, such as the content of your emails, messages and documents, that could be exploited. This could even include the ability to access other accounts and services via single sign-on or linked accounts.  

Critically, if an attacker gains access to your primary email account, they can often move laterally to compromise other services. This is because your primary email account typically serves as the main verification and recovery method for many linked accounts. 

Most cyber-attacks are financially motivated. Once cyber criminals have gained access to your account(s), they aim to extract maximum value, whether by selling your personal and financial data on the dark web or using their access to your accounts for identity theft or fraud. 

In some cases, attackers may even attempt to leverage their access to your personal accounts to gain access to your professional accounts or corporate systems, especially if you re-use credentials across environments. 

The consequences of compromised accounts can be severe, ranging from data theft/loss and financial loss to reputational damage both personal and professional. 

How to secure your online accounts 

The first step to secure your accounts is to identify which accounts hold sensitive or high-value data which, if compromised, are likely to cause financial and/or reputational impact, or that contain sensitive personal information, such as your address. While you should consider each of your accounts and identify the data that each may contain, prioritise securing key accounts, such as financial accounts and your primary email.  

You should review the security options available for each of your accounts, but at a minimum, we would recommend that you ensure each account has: 

1. Strong, Unique Passwords 

Password best practices continue to evolve, but current recommendations include: 

  • Length: Aim for at least 14 characters, as shorter passwords can be more easily guessed by computers.  

  • Uniqueness: you should never re-use passwords across accounts. 

  • Storage: Use a reputable password manager to generate and store your passwords securely. 

Credential breaches are common, and reused passwords make it easy for attackers to compromise multiple accounts from a single incident. Given the average person has 168 passwords, reliance on memory alone often leads to weak or reused passwords and insecure choices like pet names or birthdays.  

It is unrealistic to expect to remember hundreds of unique, strong passwords. A practical solution and easy way to achieve this, is to utilise a password manager, which securely stores your credentials, and reduces the burden on memory to just a few key passwords.

Regularly audit your passwords using the tools built-in to your Password Manager, such as the Security section in the Apple Password App or Google Password Manager’s Password Checkup. Update any that are weak, reused, or flagged as compromised. While this can be a daunting task at first, it can be tackled gradually with the prioritisation of key accounts which hold sensitive or high-value data.  

2. Multi-Factor Authentication (MFA) 

MFA (sometimes referred to as two-factor or two-step authentication) adds a second layer of protection beyond your password, which can help secure your account even if your password is compromised. Typically, authentication factors fall into three main categories:  

  • Something you know (e.g. password or PIN) 

  • Something you have (e.g. phone, hardware token) 

  • Something you are (e.g. fingerprint, facial recognition) 

Using Multi-factor Authentication means authenticating using 2 (or more) different options. A password is a good example of something you know, so you will need something you have or something you are. 

While SMS or email-based MFA is worth enabling on accounts where they are the only options, they are more vulnerable to interception and spoofing than other MFA methods. We recommend using the strongest types of MFA available, after considering their pros and cons.  These include: 

  • Time Based One Time Password (TOTP) – Requires installation of a specific app, such as Microsoft Authenticator, Google Authenticator or Duo Mobile. Once in the app you would typically scan a QR code to display the six-digit code (something you have). 

  • Biometrics – The most commonly used are facial recognition and fingerprint (something you are) using devices with these capabilities, typically a mobile phone. 

  • Passkeys – When you add a passkey to an account, your device will generate a pair of keys (something you have) and share the public part with the service you are authenticating to. 

  • Hardware Tokens - They work in the same way as passkeys but instead of the key pair being generated on your phone or laptop, they are generated on an external device that is usually a USB stick (something you have). 

  • Push Notifications – Using custom apps that are installed on your device, some providers push a custom notification (something you have) to your device, each time you try to log in.  

3. A Verified Recovery Method 

Recovery options are your safety net if you lose access to an account or if it’s compromised. Without them, you risk permanent lockout or delayed response to an attack. 

Online accounts will usually use the email address or phone number that you signed up with, but it is worth ensuring that each account has an up-to-date and verified recovery method. This means checking for accounts that are linked to old emails or phone numbers that you may no longer have access to.  

It is vital that you ensure your primary email account has a verified recovery method, given that it most likely forms the recovery method for most of your other accounts. 

Some sensible recovery methods include: 

  • A verified email address 

  • A trusted phone number 

While securing your accounts, you may also wish, or have been prompted to, save a recovery code. These are one-time-use backup codes designed to help you regain access to your account, if you lose access to your primary MFA method. Recovery codes are typically long strings of characters (for example, Microsoft issues 25-digit codes) and act as a critical fallback method when your usual login method fails.  

Because recovery codes can grant direct access to your account, it is essential to store them securely and privately. Avoid saving them in unsecured locations such as plain text files, email inboxes, or cloud-based notes without encryption. Instead, consider using an encrypted file, secure cloud storage solution or even offline storage, like a locked drawer or safe, to keep them protected.  

Building Sustainable Habits 

Implementing strong, unique passwords, enabling multi-factor authentication, and keeping recovery methods up to date are more than just best practices - they are essential steps in protecting your identity, finances, and reputation. These form the foundation of effective personal cyber hygiene. 

Importantly, account security is not a one-time effort. It requires regular attention and should become a consistent part of your digital routine.  

About the author 

Samuel Watterson is a coc00n Cyber Security Advisor with a legal background in commercial litigation. With sharp analytical skills and the ability to distil complex issues into clear, actionable advice, Samuel helps individuals and organisations strengthen their cyber security posture.     

About coc00n   

coc00n provides personal device protection for high value and high risk individuals at a level previously only available to those under government protection.  Contact us to find out more. 

Sal Remtulla
Next

Lucy Burnford Named Spears Recommended Adviser 2025