Assuming, of course, you know which those are.
We often say it’s important to make sure your most important accounts are appropriately secure.
Great. Given that we all have dozens (if not hundreds) of online accounts these days, which qualify as most important? And what kind of security is secure enough?
Although there are no hard and fast answers to either question, I do have thoughts that may help you choose and act.
Become a Patron of Ask Leo! and go ad-free!
Securing important accounts
Prioritize accounts linked to finances, recovery, or identity verification, like bank, email, and mobile accounts. Use unique, strong passwords, two-factor authentication (2FA), and a mobile PIN. These accounts may be important themselves or may be entry points to other accounts if compromised.
Important accounts
Two kinds of accounts qualify as most important.
- Accounts that allow you access to or control of your money.
- Accounts you might use to recover other accounts.
Let’s get specific about bank accounts, email accounts, and mobile phones.
Bank accounts
Your bank account is probably the most obvious on this entire list. As bank robber Willie Sutton supposedly once explained why he chose to rob banks, “Because that’s where the money is.”
That’s where your money is, and almost all online theft is related to money.
But it’s more than “a” bank account. All these accounts qualify as important.
- All bank accounts, since it’s not uncommon to have more than one.
- All investment accounts. These are typically separate from bank accounts.
- Credit card accounts. While these don’t store money, they’re used to get money.
There may be others, but “access to cash” is the common thread. That makes them important.
Email accounts
Email accounts are important, but often not for the reasons most people think of. Yes, you want to protect your sensitive and private communications with others, but there’s more.
Your email account is often the account associated with your bank accounts. If your email account is compromised, it can be a stepping stone to your bank accounts being compromised. Any account associated with your email address is at risk whether it’s important or not.
Email account compromise -> Bank (and other) account compromise
However, there’s another important email account that’s easily overlooked: your recovery account. Many email providers allow and encourage you to set up a second email account as an alternate or recovery address. If you have trouble logging into your normal or primary email account, you can use the alternate account to regain access.
Unfortunately, should that alternate email account be compromised, it’s another stepping stone.
Alternate email account compromise -> Primary email account compromise -> Bank account compromise
Mobile phone
Your mobile phone number and its associated online account are important for many of the same reasons your alternate email address is important: it’s often used to recover a primary account or for some other form of identity verification. Once again, it’s a set of stepping stones.
Mobile phone compromise -> Primary email account compromise -> Bank account compromise
In fact, there don’t even have to be that many steps. Banks often use mobile phones for recovery and identification purposes directly.
Mobile phone compromise -> Bank account compromise
Your mobile phone itself is critical as well. In many cases, you have apps installed for the very accounts we’ve listed above.
Appropriate security
So now that we’ve identified what kinds of accounts are most important, what does it mean to have appropriate security for them? It involves passwords, two-factor authentication, and mobile phone PINs.
Passwords
To begin with, use a long, strong, and unique password for each account. Long and strong is obvious. Here’s an example: cpMPk3iYK4y4D4mNAb9s. That’s 20 completely random characters. (I don’t use special characters unless required. I figure 20 random characters is plenty secure.)
Related
Why Password Managers Are [Still] Safer than the Alternatives
If you're not using a password manager, you're likely compromising your security more than necessary. Here's why using one is safer.But here, more than anywhere else, having a unique password is more important than ever.
- Your email account’s password should be used for your email account and nowhere else.
- Your bank account’s password should be used for your bank account, and nowhere else.
- And so on …
And if you’re about to complain that you can’t keep track of that many strong passwords, then you need a password vault. It’s more secure than any of the alternatives.
We all fudge a little when it comes to using a different password on every site. Even me. But when it comes to your most important accounts, you don’t want to fudge at all. Password reuse remains the number one way that password-based hacks succeed.
Two-factor authentication
Related
What’s the Best Two-Factor App?
Two-factor authentication is one of the most important things you can do to secure your accounts. Here are the 2FA apps I can recommend.Enable two-factor authentication (2FA) on every important account that supports it.
This way, even if your password is somehow compromised, your account remains secure. Without your second factor, the hacker can’t get in.
I often get push-back about the various types of 2FA because some technically provide greater protection than others. At this level, I don’t care which one you use. Any 2FA is safer than not having 2FA at all. Only if your accounts are particularly valuable targets for nation-state-level hackers do you need to consider which might be most appropriate1. Otherwise, use the one you’re most comfortable with.
Mobile PIN
I’m not talking about the unlock PIN on your mobile device (though that is certainly important, along with biometric ID if supported).
This is about contacting your mobile provider and seeing if they will allow you to establish a PIN that’s required to make any changes to your account. This prevents most SIM swapping (theft of your phone number) as social engineering attacks against mobile providers fail when the PIN can’t be presented.
What’s a social engineering attack? Say someone could convince a customer service representative at your mobile provider that they’re you, that “you” have a new phone, and that your phone number should be swapped to that new phone. The result is that all the text messages sent to your number would now go to the hacker’s phone. If the company had to ask for a PIN number, the hacker wouldn’t have it, and the hack would fail.
Do this
All accounts matter, but we also know not all accounts are created equal. Some matter more than others. You must maintain the highest level of security on all of your most important accounts to prevent problems.
It might seem like a bit of work, but trust me, it’s much less work than trying to recover after a compromise.
Want more security tips? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
I’d include PayPal, Google Wallet, Apple Pay, etc. as financial institutions. They are essentially banks.
In some cases, social media accounts can be classified as important accounts, as that is often your only line of communication with some people.
I don’t use my phone for any bank or credit card accounts. I use financial accounts only from my computer. I would prefer to use a VPN but not all financial institutions allow connection from a VPN. I do not keep passwords for important accounts in my password manager. I keep them in a text file encrypted by 7-zip which itself is encrypted again with a separate application. Both encryptions use random long passwords that were memorized long ago through muscle memory. They are written down for the executor of my estate on a paper kept in my safe deposit box. Both my phone and debit card use 8-digit PIN numbers rather than 4 digits. I do not use biometric ID on my phone because you can be legally forced to provide a fingerprint to open your phone. Within the US you cannot be forced to divulge a PIN number to open your phone, although if you refuse at the border you may have to forfeit your phone for examination.
If a bank or any website is doing security correctly, it’s better than a VPN: The data is encrypted as it leaves your computer or device and decrypted on the other end and vice versa.
And a well designed password manager is just as, if not more secure than the hoops you’re jumping through with zip files.
I discovered by accident a couple of weeks ago that [my mobile phone carrier] has a unique 2FA verification that I hadn’t seen before. On my computer, I was attempting to log into my account on the [my mobile phone carrier] web page and the 2FA page came up as expected. OK, got my phone but the [my mobile phone carrier] web page had no way to enter the code they sent to my phone – just the never ending spinning arrow waiting for something to happen. Hmmm. OK maybe their web page is slow today, so I tried it again. Still no luck. I go back to my phone and actually read the short 2FA text message they sent me. Oh! You have to tap on the link they send in the 2FA text message and that got me into my account; no numbers to enter on the computer. Tap the link in the text message and I suddenly had access to my account on my computer. This is the first I had seen of this type of 2FA.
I’ve seen that on a few websites. It’s not all that uncommon.