A checklist for your digital health. Need more details? Check out the Reading List. We’ve marked the things you can do with a checkbox:


  • The longer the better. “Special” characters are not as important as length.
  • Use a phrase of four or more unrelated words.
  • If you start to enter your four words into Google.com and it autocompletes for you, those are not sufficiently random/unrelated. Use a phrase generator.
  • Use a different password for every account. Yes, it’s painful, so…
  • Use a password manager, like 1Password or LastPass.
  • Don’t use real answers for “security questions” (e.g. your brother’s name). Knowledge-based verification can be hacked. Instead, use your password manager to create and remember random phrases.
  • Don’t share social media account passwords. Use your own account and delegate authorization (e.g. Tweetdeck or Hootsuite).

Multi-factor authentication

  • Sometimes referred to as two-factor authentication. Abbreviated as MFA or 2FA.
  • Not the same thing as two-step authentication. Prefer true multi-factor if you have the choice.
  • Something you know, something you have, something you are. Example: ATM card (have) + PIN (know).
  • Biometric = something you are. Be wary of this (fingerprints, facial recognition).
  • “Something you have” can vary. In order of good, better, best:
    • SMS one-time password (OTP) sent to your phone (2-step) (SMS is vulnerable)
    • TOTP (time-based one-time password) app (2-factor)
    • Paper list of one-time recovery codes. (2-factor)
    • U2F Universal 2nd Factor, hardware security key (2-factor)
  • Set it up everywhere it is offered: Facebook, Google, Twitter, Slack, NGP/VAN (ActionID), your bank - see comprehensive list.
  • Print out a sheet of backup recovery codes and keep that paper in a safe place. Treat it like your birth certificate or your car title.
  • If your email account does not offer 2FA, change your email provider. Really.


  • Run all software updates.
  • Use a PIN of at least 6 characters to secure your phone. If your phone offers biometric (fingerprint) unlock, consider using a longer complex passcode (8+ characters) and the biometric for convenience.
  • Autolock the screen in 2 minutes (or less) of inactivity.
  • Install a 2FA TOTP app like Duo or Authy. 1Password also has integrated 2FA.
  • Set up a customer account passcode with your mobile phone company. This helps them verify you when you speak with them or log in to your account online.


  • Run all software updates.
  • Turn on full-disk encryption.
  • Make sure your screen locks when it sleeps or after two minutes (or less) of inactivity.
  • Use an account password at least 10 characters long. Best is four or more unrelated words.



  • Getting a fraudelent email does not mean an account has been hacked.
  • MFA/2FA and password manager are really important preventions.
  • Be alert. If an email looks a little “off” pick up the phone and verify the sender. Do not reply to the email or click on any links. Verify it out of band (verbally or text message) to trust the sender.
  • Follow your incident response plan. Don’t have any? Time to write one.
  • If you use Gmail, you can report an email as Phishing using the same menu you use to Reply or Forward.

Incident Response Plan