What you'll accomplish
- Create strong, unique passwords for every account
- Set up two-factor authentication (2FA)
- Spot and avoid phishing emails
- Keep your software and browser updated
- Use a password manager
Using the same password across multiple sites is the single biggest security mistake people make. If one site gets hacked, every account with that password is compromised.
A strong password is:
- At least 12 characters long
- A mix of uppercase, lowercase, numbers, and symbols
- Different for every account โ never reuse passwords
- Not your name, birthday, or anything easy to guess
๐ก
Tip: A passphrase is easier to remember and just as secure. Try something like Purple!Horse9Running โ long, random, and memorable.
Nobody can remember dozens of unique passwords โ that's what password managers are for. They store all your passwords securely and fill them in automatically.
- Download a free password manager โ Bitwarden (bitwarden.com) is excellent and free
- Create an account with one very strong master password
- Install the browser extension so it fills in passwords automatically
- As you log into sites, let it save each password
- Gradually update old weak passwords to strong generated ones
๐ธ
Screenshot: Bitwarden browser extension filling in a password
โ ๏ธ
Important: Your master password is the one password you must never forget and never write down digitally. Write it on paper and store it somewhere safe at home.
Two-factor authentication means that even if someone gets your password, they still can't log into your account without a second code from your phone. Turn this on for every important account.
- Start with your most important accounts: email, banking, and social media
- Go to your account's Security Settings
- Look for "Two-Factor Authentication", "2FA", or "Two-Step Verification"
- Choose Authenticator App as the method (more secure than SMS)
- Download Google Authenticator or Authy on your phone
- Scan the QR code shown on screen with the app
- Enter the 6-digit code to confirm it's working
๐ธ
Screenshot: Two-factor authentication setup page showing QR code
๐ก
Tip: Save your backup codes when 2FA is set up. These let you get back into your account if you lose your phone. Store them somewhere safe.
Phishing emails pretend to be from legitimate companies to trick you into giving up your password or clicking a malicious link. Here's how to spot them:
- Check the sender's email address โ not just the display name. A real email from Amazon comes from @amazon.com, not @amazon-support.net
- Look for urgency โ "Your account will be closed in 24 hours!" is a classic phishing tactic
- Hover over links before clicking โ the real URL shows at the bottom of your browser. If it doesn't match the company's real website, don't click
- Watch for spelling mistakes โ legitimate companies proofread their emails
- When in doubt, go directly to the website โ don't click the email link, type the address yourself
๐ธ
Screenshot: Example phishing email with suspicious sender address highlighted
โ ๏ธ
Remember: Your bank, Microsoft, Apple, and the CRA will never ask for your password by email. Ever. If you receive such an email, delete it.
Most successful attacks exploit known security holes that have already been patched in updates. Keeping your software up to date is one of the most effective things you can do.
- Windows: Settings โ Windows Update โ Check for updates (weekly)
- Browser: Chrome/Firefox update automatically โ make sure you're restarting them regularly to apply updates
- Apps: Check the Microsoft Store or individual app stores for updates monthly
- Turn on automatic updates wherever possible so you don't have to remember
๐ธ
Screenshot: Windows Update showing all updates installed