Managing your online accounts means more than remembering passwords — it involves enabling two-factor authentication (2FA), reviewing connected apps and third-party access, monitoring for breach notifications, and periodically auditing and deleting accounts you no longer use. Two-factor authentication dramatically reduces account compromise risk by requiring a second proof of identity (a code sent to your phone or generated by an app) in addition to a password.
Enable two-factor authentication on your most important accounts (email, banking, social media). Use a service like HaveIBeenPwned to check if your email has appeared in known data breaches.
From your work on password security, you know that a strong, unique password is the foundation of account protection. But a password alone is a single lock on a door — if someone gets the key, they're in. Two-factor authentication (2FA) adds a second lock that requires something you *have* (your phone) in addition to something you *know* (your password). Even if an attacker steals or guesses your password, they still can't access your account without that second factor. This is why enabling 2FA on your email account matters most: email is the master key to every other account, since password resets go there.
Not all 2FA is equal, and understanding the difference is practical knowledge. SMS-based 2FA sends a code to your phone number — convenient, but vulnerable to SIM swap attacks where an attacker convinces your carrier to transfer your number to their device. Authenticator apps (like Google Authenticator or Authy) generate time-based codes locally on your device, requiring physical access to your phone — significantly more secure. Hardware security keys are the strongest option, requiring a physical device you plug in. For most people, an authenticator app strikes the right balance of security and convenience.
Connected apps and third-party access are an often-overlooked attack surface. Every time you click "Sign in with Google" or grant an app access to your account, you create a permanent connection. That app can retain access even after you stop using it. A compromised third-party app becomes a backdoor into your account. Periodically review which apps have access to your Google, Apple, Facebook, or email accounts — and revoke anything you don't recognize or no longer use.
Breach monitoring closes the feedback loop. Data breaches are common, and your email and password combinations from one breach are often tested against other services in what's called a credential-stuffing attack. Services like HaveIBeenPwned let you check whether your email has appeared in known breaches. If it has, change the password for any account that used that combination. This is also why your password security work — using unique passwords per account — matters so much: a breach at one site shouldn't compromise everything else.
Finally, treat old accounts the way you'd treat old copies of your house key: revoke them. An account you created in 2010 and never think about still holds personal data and a valid password. If that site gets breached, attackers now have credentials they can test across the web. Good account hygiene means periodically searching for and deleting dormant accounts, updating passwords on any active account you haven't touched in years, and treating your digital identity as something to actively manage — not just set up once and forget.