Online security is a journey. We’ve all picked up bad habits over years of bad password advice. Thanks to that advice, most of our passwords are easy to crack. And even if your password isn’t cracked, it could be one of the billions leaked in a data breach each year. Once your password is out there, it’s easy for hackers to find other sites where you’re probably using that same password.

To make matters worse, most people reuse their passwords across multiple accounts. Once an email and password is leaked on one site, hackers get to work checking that combo on other sites. They can pretty quickly get into any and every account where you’ve reused that password.

So where do we start? After all, you probably have dozens of online accounts, maybe even hundreds. A quick look at my password manager (I’ll talk more about password managers in a future post) shows that I have about 600 passwords. That might sound crazy, but I bet you have more accounts than you think. Changing them all is a daunting task. Luckily, we don’t need to get them all at once. We may not even need to get all of them ever.

Security Prioritization

The first thing to do is think about which accounts matter most. At the very top of that list is your primary email account.

You may be thinking: “Wait, what? Email? Why not my bank accounts?” Yup, your bank account is important, but your email account is actually more important. That’s because your email account is the master key to all your other accounts. If someone gets into your email, they can change the password for all your other accounts, including your bank.

Even worse, they can completely take over your digital life. After changing your bank password, they can change your Facebook password. Then they can pretend to be you and start trying to scam your friends and family. They can change your shipping address on Amazon and then start sending themselves packages, paid for with your saved credit card. They can update the contact number on your credit card account so that, when the company calls to ask about fraudulent charges, they answer the phone. Your email isn’t just email. It’s the key to your entire digital life.

One Thing to Do Right Now

So, if you want to do one thing to make yourself more secure, change your primary email password. Changing that one single account to a new password that you’ve never used before is a HUGE step toward online security. You will have closed off a gaping hole in your internet security.

But what to change it to? I already mentioned that most of the password advice out there is bad. (I’ll talk more about why in a future post.) The thing that actually works is to use a passphrase. Just pick four random words. You don’t need capital or lower case letters. You don’t need numbers. You don’t need special characters. You just need four random words.

You can use a random word generator. You can open up your dictionary, if you still have one, and poke a random spot on a random page. You can even use dice. Whatever. Just get yourself four random words. That creates a difficult to crack, but easy to remember password. I’ll get into the details of why in a future post, but just trust me for now.

Now that you have four random words, write them down. Yup, write them down. Conventional wisdom says never write down a password. But that’s part of the bad advice. The biggest threat to your account security is online. It’s not someone finding a random scrap of paper in your home. So just write it down. Once you’re sure you’ve memorized it, you can throw it away, burn it, swallow it, whatever makes you feel comfortable.

Now go change that password!

Next Up

It’s time to start prioritizing other passwords. There are a host of things to consider here, and I’ll get into that in a future post. But if you’d like to start thinking about it now, here are a few quick considerations, in no particular order:

  • Financial risk. How likely are you to lose money if someone gets into that account?
  • Identity theft. Could someone use the account to steal your identity?
  • Social engineering. If someone gets into an account, how likely are they to use that account to manipulate your friends and family?

If you want, you can go ahead and create passphrases for some of those. Just don’t reuse your email password. Maybe choose the scariest few. Create a new, unique passphrase for each one. Write them down and stop when you’re feeling comfortable.

Or not. Stop with your email for now. You’re probably already realizing that you’re going to need some way to manage all these unique passwords that I’m suggesting you create. That seems like a good topic for next time.