Skip to content
How‑To Guides

Online Account Security: Audit and Harden Every Account

Online account security requires unique passwords, 2FA, and regular audits. Here is the complete guide from initial hardening to ongoing maintenance schedules.

Online Account Security: Audit and Harden Every Account

Every service you use online — email, banking, shopping, streaming, social media, cloud storage, work tools — is protected by an account that can be compromised if credentials are weak, reused, or exposed in a data breach. Online account security is the practice of configuring and maintaining each account to resist the attacks that target them: credential stuffing, phishing, brute force, and account recovery exploits. You’ll find the complete rundown in our Complete Guide to Online Security and Privacy.

Have I Been Pwned tracks over 14 billion compromised credentials from known data breaches — and that represents only breaches discovered and disclosed. For any email address in use for more than a few years, the near-certainty is that at least one service it was registered with has been breached. The goal isn’t preventing breaches at services you use — it’s ensuring a breach at one service doesn’t cascade across every other account sharing the same credentials.

The foundation — unique passwords for every account

When every account has a unique password, a breach at any single service exposes only that one account rather than every account sharing the same password. This is the most impactful single property of a strong account security posture: uniqueness prevents credential stuffing attacks from cascading across services.

A password manager — Bitwarden, 1Password, or equivalent — generates and stores unique credentials for every account automatically. The setup takes an afternoon the first time: create the manager account, install the browser extension, import passwords already saved in the browser, and begin generating new unique passwords whenever a login is created or changed. Our guides on using a password manager and creating strong passwords cover the setup and what makes generated passwords genuinely attack-resistant.

The most dangerous reuse pattern combines the email account with other services — because email is the password reset destination for everything else. If the email password is reused and appears in a breach database, every account using that email for recovery is potentially accessible through a password reset chain. Treat the email account’s password as uniquely valuable: strong, unique, and memorised rather than stored only in the manager.

Two-factor authentication — the second required layer

A unique strong password prevents credential stuffing. 2FA ensures that even a correctly-guessed or breached password cannot alone grant access. The combination makes account takeover require both knowledge (the password) and possession (the authentication device) simultaneously.

The authenticator app method (Google Authenticator, Authy, Microsoft Authenticator) provides the best balance of security and usability — generates time-based codes that change every 30 seconds, works offline, and isn’t vulnerable to SIM swap attacks that compromise SMS-based 2FA.

Priority order for 2FA setup:

  1. Primary email account — highest priority; controls recovery for all other accounts
  2. Password manager account — protects access to all other credentials
  3. Banking and investment accounts — direct financial exposure
  4. Cloud storage holding sensitive files
  5. Work email and corporate accounts
  6. Social media and shopping accounts

After enabling 2FA on any account: save the backup codes. These single-use codes are the recovery mechanism if the authenticator app is unavailable (lost phone, new phone without migration). Store them in the password manager’s secure notes alongside the account credentials. Accounts where backup codes were never saved and the 2FA device is lost may require a lengthy identity-verification recovery process — or a permanent lockout. Backup code storage is not optional hygiene; it’s a mandatory part of the 2FA configuration.

Reviewing and hardening every active account

Beyond passwords and 2FA, each active account has additional security settings worth reviewing:

  • Account recovery options: the recovery email and phone number for each account are secondary attack surfaces. If an attacker compromises the recovery email, they can reset the primary account’s password. Review and update recovery options to ensure the recovery paths are also secured. The recovery phone number should be a VoIP number that can’t be SIM-swapped for high-value accounts.
  • Connected third-party applications: any “Sign in with [service]” connection gives that service ongoing access to the account. Review and revoke connections for apps you no longer use — these accumulate into a significant shadow access network over years of account use.
  • Active sessions: most major services show all devices and locations currently logged into the account. Review and terminate sessions from unfamiliar devices or locations. For accounts you haven’t checked in over a year, actively reviewing session history is worth the five minutes it takes.
  • Security question answers: for accounts that still use knowledge-based authentication, treat answers as passwords — store random generated nonsense answers in the password manager rather than real answers that are findable from social media or public records.

The online account security audit — what to check and when

CheckWhere to do itFrequency
New breaches involving your emailhaveibeenpwned.com (set up free email alerts)Continuous (automated alerts)
Weak or reused passwords in vaultPassword manager audit tool (Bitwarden: Reports; 1Password: Watchtower)Monthly during transition; quarterly ongoing
Connected third-party appsmyaccount.google.com/permissions; account.microsoft.com/privacyQuarterly
Active sessions reviewAccount security settings for email and financial accountsMonthly for email; quarterly for others
Backup codes stored and currentPassword manager secure notes for each 2FA-enabled accountVerify after any phone change or manager migration
Account recovery options currentSecurity settings for email and financial accountsAnnually or after any contact information change
Unused accounts deletedEmail inbox “Welcome to” history; JustDeleteMe as referenceAnnually

The password manager’s audit tool is worth running monthly during the transition from reused passwords to unique generated passwords — it surfaces the remaining reused and weak passwords so you can update them opportunistically. Once the vault is fully migrated to generated passwords, quarterly audits maintain the security posture as new breaches are discovered and as old services are identified for deletion.

Account security for specific high-risk categories

Shopping accounts: use guest checkout when possible to avoid creating stored credentials. When accounts are required, use email aliases rather than your primary address. Don’t save payment methods — enter them fresh each time, or use only a virtual card number if a payment method must be stored. Shopping accounts represent some of the lowest-priority 2FA targets but highest-priority targets for password uniqueness (they’re breached frequently and often reuse common passwords).

Streaming and subscription accounts: these are lower security priority individually but create a specific risk when shared across household members. Establish household rules for shared accounts: share credentials through the password manager’s sharing features (not via SMS or email), and use the service’s own profile/sub-account system where available so each person has separate login credentials rather than one shared credential set.

Old accounts you can’t delete: for services that make deletion difficult — requiring phone calls, refusing to delete without documentation, or simply not responding — the compromise approach is to change all stored information to inaccurate data and change the password to a unique generated one before abandoning the account. This limits the breach damage (incorrect personal data provides less value) while removing the reused password vulnerability.

Our guide on securing your email account covers the email-specific configuration in depth, and our guide on setting up two-factor authentication covers the 2FA setup process for each major service. For checking current breach status of specific accounts, Have I Been Pwned provides free email-based alerts for new breaches as they’re discovered and disclosed — set up alerts for every email address you use across accounts.

Emergency access and account continuity

Password manager emergency access is the account security planning element most individuals and families overlook. If the person managing the household’s password manager is incapacitated or unavailable, what happens to critical account access?

Bitwarden Premium and 1Password offer emergency access features — designating a trusted person who can request vault access after a waiting period, during which the primary user can deny the request if available. Set up emergency access and keep the designated person informed of the process. This isn’t just about external attackers — it’s practical security planning for account access continuity across all situations where the primary account holder is unavailable.

For physical backup of the most critical accounts (email, password manager, banking): write the account credentials, recovery codes, and 2FA backup codes on paper. Store it in a physically secure location (home safe, safety deposit box). Tell a trusted person where it is. This physical backup is the recovery path when all digital access fails — lost phone, forgotten master password, unavailable manager — and its existence means a complete digital lockout is recoverable without losing years of account access.

Online account security done properly is a system that requires an afternoon to set up and minimal ongoing maintenance — primarily running the password manager’s audit tool quarterly and responding to breach alerts as they arrive. The protections compound over time: each account converted from a reused weak password to a unique generated one reduces the credential stuffing exposure; each 2FA setup makes the corresponding account genuinely difficult to take over even with a correct password. The end state is an account ecosystem where no single breach creates a cascade of compromises — which is what resilient online account security actually looks like.

Defending against account recovery exploits

Account recovery mechanisms — the “forgot password” flows — are often the weakest link in account security. An attacker who can’t guess or steal your password may be able to reset it through recovery options that are easier to compromise than the password itself. The most common recovery exploit patterns:

  • Recovery email compromise: if the recovery email address is compromised, the attacker uses it to reset passwords on every linked account. Protecting the recovery email with its own strong unique password and 2FA is essential — it’s the second-most-important account after the primary email itself.
  • Recovery phone SIM swap: an attacker who ports your phone number to a SIM they control receives all SMS messages, including 2FA codes and password reset verification. Set a carrier PIN or port freeze on your mobile account (call your carrier) to prevent unauthorised SIM swaps.
  • Security question exploitation: questions like “mother’s maiden name” or “first pet’s name” are often answerable from social media or public records. As noted above: store random nonsense answers in the vault. The answer just needs to match what you stored, not anything real.
  • Trusted contact exploitation: some services allow recovery through a “trusted contact” who can approve access. Choose these contacts carefully and review them periodically — a person you trusted with this access years ago may no longer be appropriate.

Passkeys — the gradual replacement for passwords

Passkeys are the emerging authentication method that replaces both the password and the second factor with a single cryptographic step. When you create a passkey for an account, your device generates a public-private key pair. The private key stays on your device secured by biometric authentication (Face ID, fingerprint); the public key goes to the service’s server.

Logging in with a passkey uses biometrics to unlock the private key, which cryptographically signs a challenge from the server — proving identity without sending a password or a one-time code. The result is authentication that is:

  • Phishing-resistant by design (the key pair is bound to the specific site’s origin)
  • Immune to credential stuffing (there’s no password to steal from breach databases)
  • More convenient than password + 2FA in practice (one biometric step replaces both)

Major services now supporting passkeys include Google, Apple, Microsoft, GitHub, PayPal, eBay, and an increasing number of password managers. When a service offers passkey setup, enabling it is worth doing. The practical transition from passwords to passkeys is gradual — most services still fall back to password + 2FA for devices or situations where passkeys aren’t available, and understanding both systems remains necessary throughout the transition period.

Online account security in 2026 is primarily about achieving consistency across accounts — consistent use of generated unique passwords, consistent 2FA where offered, consistent review habits for connected apps and active sessions. The accounts that most need attention are the ones that control other accounts (email, password manager) and the ones with direct financial exposure (banking, payment services). Everything else flows from those foundations being properly secured. See also macOS Security Settings for a related case.

Nikolas Lamprou

Nikolas Lamprou (MSc; GCFR, SC-200, Security+) has been working with computers professionally since 2009 — starting with web development and e-commerce, and moving into cybersecurity over the years. Based in Greece, he brings over 15 years of real-world IT experience to SolveTechToday, where he writes about Windows fixes, software reviews, security tools, and AI applications. His goal is straightforward: cut through the noise and give readers clear, honest guidance on the tech decisions that matter.

Stay Ahead

Fix your next problem before it starts

Get the week's best Windows fixes, software picks, and security guides delivered straight to your inbox. No noise, just solutions.

Press ESC to close · Try "Windows 11" or "Chrome"