Your email account is the master key to your digital life. Reset links for every other account — banking, social media, work tools — flow through it. Securing it properly is the single most impactful thing you can do for your online safety.
Why email is the #1 target
When attackers compromise an email account, they don't just read your messages. They click "Forgot password" on every service you use — bank, PayPal, Amazon, social media — and reset those passwords too. One compromised email cascades into a full account takeover within minutes.
Email accounts are also targeted specifically because many people reuse passwords, and email addresses are publicly known (you hand them out constantly). Combine a known username with a reused password from a breach database, and attackers get in without any technical skill at all.
⚠️ Check yourself now: Go to haveibeenpwned.com and enter your email address. If it appears in any breach, your password for that service was exposed — and if you reused it on your email account, change your email password immediately.
Step 1 — Use a strong unique password
Your email password should be at least 16 characters, randomly generated, and used nowhere else. If you have been using the same password for years or across multiple sites, change it today. Use our generator to create one, and store it in a password manager.
Step 2 — Enable two-factor authentication
2FA is non-negotiable for email. Even if your password is stolen via phishing or a breach, the attacker cannot log in without your second factor. Priority order for 2FA methods:
- Hardware security key (YubiKey) — best, phishing-proof
- Authenticator app (Google Authenticator, Authy) — strong
- SMS codes — better than nothing, but vulnerable to SIM-swap
Step 3 — Review account recovery options
Check what recovery options are set on your account. Recovery phone numbers and backup email addresses are additional attack surfaces. Make sure your recovery email is also secured with a strong password and 2FA. Remove any recovery options you no longer control (old phone numbers, old email addresses).
Step 4 — Audit connected apps
Go to your email provider's security settings and review which third-party apps have access to your account. Revoke access to any apps you no longer use or don't recognise. Each connected app is a potential way in for attackers if that app is compromised.
Step 5 — Watch for suspicious activity
Most email providers show recent login activity — IP addresses, devices, locations. Check this regularly. If you see a login from an unfamiliar location or device, change your password and check your recovery options immediately.
✅ Five-minute action plan: Change to a unique random password → enable authenticator app 2FA → check haveibeenpwned.com → review connected apps → bookmark your provider's recent activity page.