TIP: How to secure your online accounts properly in 2026 - the minimum you should be doing that most people are not

[Ellie22]

Basic online security in 2026 is not complicated but most people are doing less than the minimum. Here is the floor, not the ceiling.

Password manager: every account gets a unique long random password. Bitwarden is free and excellent. LastPass had breach problems. Use Bitwarden or 1Password.

Two-factor authentication on everything that matters: email, banking, social media, your password manager itself. Authenticator app (Google Authenticator, Authy, or Bitwarden's built-in authenticator) is better than SMS. SMS 2FA can be SIM-swapped.

Check haveibeenpwned.com to see if your email has appeared in known data breaches. If it has, change passwords for those services immediately.

Separate email address for important accounts versus throwaway signups. Your banking email should not be the same address you used to sign up for a forum in 2009.

Review app permissions on your phone twice a year. Revoke location, microphone, and camera access from apps that do not need it.

Enable login notifications on important accounts so you know immediately if someone accesses your account from a new device

[Delulu]

The separate email for important accounts is the advice I wish I had followed from the start. My main email is in dozens of breaches because I used it for everything

[Panda54]

Passkeys are worth mentioning as the 2026 addition to this list. Where services offer passkey login it is more secure than password plus 2FA and simpler to use. Enable it wherever it is available

[Megan95]

The haveibeenpwned check is something I do with everyone I help with security. The look on their face when they see 8 breaches including passwords is the most effective security awareness training available

[ParallelSelf34]

SMS 2FA is better than nothing but the SIM swap attack is real and has been used against regular people not just celebrities. Authenticator app 2FA is not much more inconvenient and is significantly more secure

[KnotKnull]

The app permission review twice a year is good advice but most people need a reminder. Set a calendar reminder for January and July and it actually gets done

[Amy96]

Bitwarden's emergency access feature is worth setting up. You designate a trusted person who can access your vault after a waiting period. Solves the problem of what happens to your accounts if something happens to you

[Cobalt Pilgrim]

For the password manager: the master password is the one password you have to remember and it needs to be long. A passphrase of four to five random words is both more secure and more memorable than a complex short password

[Bussin99]

Login notifications are underused and incredibly useful. I caught an unauthorised login attempt on an old Google account from a country I have never visited because of login notifications

[Sinead_47]

The minimum is genuinely the minimum. Anyone who handles work email, financial accounts, or sensitive data should go further and consider a hardware security key like a YubiKey for the most important accounts