AntiPhishers Online Security Checklist: Protect Every Account
By AntiPhishers
Published
Online Security Checklist: Protect Every Account
Security is not a single action. It is a set of habits applied across every account and device you use. This checklist provides a prioritized, actionable list that scales from the most critical protections (which everyone should implement) to advanced measures (for users with elevated security needs).
Work through the sections in order. Each tier builds on the previous one.
Tier 1: Critical (Implement Today)
These steps address the vulnerabilities that account for the majority of successful attacks.
Passwords
- Install a password manager (1Password, Bitwarden, or NordPass)
- Generate unique passwords for email, banking, and financial accounts (16+ characters)
- Replace reused passwords starting with the most sensitive accounts
- Create a strong master passphrase (5–7 random unrelated words)
- Store a written backup of your master password in a secure physical location
Multi-Factor Authentication
- Enable MFA on your primary email account (this protects all other account recovery)
- Enable MFA on all banking and financial accounts
- Enable MFA on your password manager itself
- Use FIDO2 security keys or passkeys where supported; app-based TOTP otherwise
- Avoid SMS-based MFA when better options are available (SIM swapping vulnerability)
Email Security
- Check haveibeenpwned.com for your email addresses
- Change passwords for any services appearing in breach results
- Enable login notifications on your email account
- Review and revoke unauthorized app connections in email settings
- Check forwarding rules for unauthorized email forwarding
Credit Protection
- Freeze credit at all three bureaus: Equifax, Experian, TransUnion (free)
- Review your credit report at AnnualCreditReport.com
- Set calendar reminder to check credit reports quarterly
Tier 2: Important (Complete This Week)
Device Security
- Enable automatic updates for your operating system
- Enable automatic updates for your web browser
- Install antivirus software (or verify Windows Defender is active and updated)
- Enable full disk encryption (BitLocker on Windows, FileVault on Mac)
- Set a device lock PIN/password on all phones and tablets
- Enable Find My Device / Find My iPhone for device location and remote wipe
Browser Security
- Install a reputable ad blocker (uBlock Origin)
- Remove browser extensions you do not actively use
- Disable third-party cookies in browser settings
- Enable HTTPS-Only mode in your browser
- Clear browser autofill data (migrate to password manager instead)
Network Security
- Change your home WiFi password from the default
- Change your router admin password from the default
- Enable WPA3 encryption on your router (WPA2 minimum)
- Update router firmware to the latest version
- Use a VPN on all public WiFi networks
- Consider a separate guest network for IoT devices
Financial Accounts
- Enable transaction notifications on all credit and debit cards
- Review recent transactions for unfamiliar charges
- Set up account alerts for large transactions, international transactions, and new payees
- Enable MFA on investment and retirement accounts
Tier 3: Enhanced (Complete This Month)
Social Media
- Review privacy settings on all social media platforms
- Restrict profile visibility to connections only (not public)
- Remove personal details that answer common security questions (birthdate, pet names, school names)
- Review and revoke third-party app connections
- Enable login alerts and review active sessions
Phone Security
- Set a PIN or passphrase with your mobile carrier to prevent SIM swapping
- Review app permissions (camera, microphone, location, contacts) and revoke unnecessary access
- Disable WiFi auto-join for unknown networks
- Enable automatic app updates
- Review and remove apps you no longer use
Data Privacy
- Opt out of major data brokers (Spokeo, Whitepages, BeenVerified)
- Use email aliases for new account signups (Proton Pass, SimpleLogin)
- Sign up for USPS Informed Delivery to monitor physical mail
- Use a privacy-focused search engine for sensitive queries (DuckDuckGo)
- Review Google Account activity and privacy settings (myaccount.google.com)
Backup
- Implement the 3-2-1 backup rule: 3 copies, 2 media types, 1 offsite
- Set up automatic cloud backup for critical files
- Store a local backup on an external drive (encrypted)
- Test that your backups actually work by restoring a file
Tier 4: Advanced (For Elevated Threat Models)
Communication
- Use end-to-end encrypted messaging (Signal) for sensitive conversations
- Use encrypted email (ProtonMail) for sensitive correspondence
- Disable read receipts and typing indicators on messaging apps
- Consider a hardware security key (YubiKey) for all critical accounts
Identity Protection
- File an IRS Identity Protection PIN (irs.gov/ippin)
- Consider an identity theft protection service (Aura, LifeLock)
- Place a fraud alert with credit bureaus (in addition to freeze)
- Register with the USPS Mail Hold service when traveling
- See our complete Identity Theft Protection Guide
Physical Security
- Use a webcam cover or disable the webcam when not in use
- Do not charge devices using unknown USB ports (use a charge-only cable or power adapter)
- Shred documents containing personal information before disposal
- Secure your home router in a location not accessible to visitors
Ongoing Maintenance Schedule
| Task | Frequency |
|---|---|
| Review credit report | Quarterly |
| Check haveibeenpwned.com | Quarterly |
| Review bank/credit card statements | Monthly |
| Update passwords for any breached services | As needed (immediately) |
| Update operating system and browser | When updates are available (automatic preferred) |
| Review social media privacy settings | Biannually |
| Audit app permissions on phone | Biannually |
| Test backup restoration | Annually |
| Review authorized devices on key accounts | Annually |
| Update emergency contacts and recovery options | Annually |
Priority Sequence for Beginners
If you are starting from scratch, this is the order that provides the most security per minute invested:
- Install a password manager and change your email password (15 minutes)
- Enable MFA on your email account (5 minutes)
- Freeze credit at all three bureaus (15 minutes)
- Change banking passwords to unique ones via the manager (10 minutes)
- Enable MFA on banking accounts (10 minutes)
These five steps, totaling under an hour, address the vulnerabilities responsible for the vast majority of successful attacks. Everything else builds on this foundation.
Deepen your defense with our Phishing Protection Guide 2026 and test your current passwords with the Password Strength Guide. For the full 50-question breakdown of cybersecurity topics, see our Cybersecurity FAQ.
Key Takeaways
- Password manager + MFA on email and banking provides the highest impact security improvement for the least effort
- Credit freezes are free and prevent the most damaging form of identity theft
- Security is not a one-time event — maintain the ongoing schedule for continuous protection
- Work through the tiers in order; Tier 1 provides dramatically more protection than Tier 4 for most people
- The complete checklist takes 2 to 3 hours but protects against the vast majority of common attacks
Next Steps
- Start with the full threat landscape in Phishing Protection Guide 2026
- Choose your password manager in Best Password Managers 2026
- Protect your network with VPN Comparison 2026
- Protect your devices with Best Antivirus Software 2026
- Prepare for the worst with Identity Theft Protection Guide
This checklist reflects cybersecurity best practices as of early 2026. Security recommendations evolve as threats change. Review and update your security posture at least quarterly.
Sources
- Require Strong Passwords — CISA — accessed March 27, 2026
- Identity Theft Protection Checklist — Atlantic Union Bank — accessed March 27, 2026
- Identity Theft Protection Guide — CyberNews — accessed March 27, 2026