Web Account Security Hygiene: What I Actually Do (2026 Update)

A family member forwarded me a breach notification letter earlier this year. MedStar Health, 60 days after discovery, offering 12 months of free credit monitoring. I wrote about that experience. But it also prompted me to do something I hadn't done in a while: a full audit of my own web account security.

I first wrote this post in 2022. I'm updating it now because the threat landscape has changed in ways that make the original advice feel incomplete. Generative AI has made phishing attacks nearly indistinguishable from legitimate email. The old heuristic of "look for typos and weird formatting" no longer holds. The hygiene fundamentals are the same, but the urgency is higher.

This is what that looks like in practice. Not a list of things you should theoretically do someday, but a concrete 90-minute exercise you can run this week.

---

The Threat Model Most People Get Wrong

Picture the attacker. Hoodie. Dark room. Energy drinks. Fingers flying across a keyboard while strings of green text scroll past on a monitor. Is this the person trying to guess your password?

No, that person does not exist. Or at least, they are not the one targeting your accounts.

What does the person actually trying to get into your accounts look like? Nobody. There is no person. A script is running against a spreadsheet. Attackers buy leaked username and password pairs from breach dumps for fractions of a cent each, feed them into automated tools, and walk away. The script tests your credentials across thousands of sites while the attacker sleeps. No guessing. No targeting. Just your old reused password from a 2019 breach quietly unlocking your accounts one by one.

Have I Been Pwned now indexes over 17 billion compromised credentials available for exactly this purpose. In 2026, those stuffing campaigns are paired with AI-generated phishing that reads like a legitimate email from your bank or employer. The grammar is perfect. The tone matches. There are no typos to catch. 83% of phishing emails are now AI-generated (KnowBe4, 2025).

If you have reused a password from any breach in the last decade, your other accounts are already at risk. That reframe changes the entire defensive posture.

---

Step 1: Pick a Web Account Security Tool and Commit to It

A 2024-2025 analysis of 19 billion exposed passwords found 94% are reused or duplicated. A password manager eliminates this by generating and storing a unique credential for every account. The setup cost is about an hour. The ongoing cost is near zero once it's in your muscle memory.

Two options I'd recommend:

Bitwarden is open source and free for individuals. The free tier covers everything most people need: unlimited passwords, cross-device sync, and browser extensions. You can also self-host it if you want full control over your data.

1Password is a paid option with a few features worth the cost: Travel Mode lets you hide specific vaults when crossing borders, and the family plan is well-designed for shared accounts.

Do not use LastPass. In 2022 attackers exfiltrated encrypted password vaults. Anyone with a weak master password is at ongoing risk. Move off it if you haven't already.

On browser password managers: Chrome, Safari, and Firefox all offer built-in password saving. These are fine for low-risk accounts. The problem is that every password syncs through your Google, Apple, or Microsoft account. If that account is compromised, every stored password goes with it. Use a dedicated manager for anything that matters: banking, email, healthcare portals, any account tied to your identity.

On migration: you don't have to do it all at once. Install the browser extension and let it capture passwords as you log in normally over the next two weeks. Your most-used accounts migrate themselves.

---

Step 2: Set a Strong Master Password

Your manager's master password is the one you have to remember, so make it both strong and memorable. A passphrase works well here.

Pick four or five random, unrelated words and string them together. "correct horse battery staple" is the classic example (and now too well-known to use, so pick your own). A random four-word passphrase has roughly 51 bits of entropy, comparable to a random eight-character password using upper, lower, numbers, and symbols, and significantly easier to type accurately under stress.

This is the one password where you do not want a generator doing the work. You need to be able to recall it from memory.

---

Step 3: Enable MFA Everywhere, but Understand the Hierarchy

MFA is not bulletproof, but it makes account compromise significantly harder for attackers. The types, in order of strength:

• Passkeys: device-bound and phishing-resistant. No shared secret to steal. More widely supported now than in 2022. Enable them wherever offered.
• Hardware keys (YubiKey): the strongest widely-available option. Require physical possession of the key.
• Authenticator apps (Google Authenticator, Authy, or your password manager's built-in TOTP): time-based codes that expire every 30 seconds.
• Push notifications (your bank's mobile app, Duo): convenient and slightly stronger than SMS since they require the physical device. Vulnerable to push fatigue attacks where an attacker triggers repeated prompts hoping you tap approve by accident. Never approve a push you did not initiate.
• Email codes: a code sent to your inbox. Only as secure as your email account itself. If your email is compromised, this factor is too. Better than nothing, but treat it as a reason to make your email account your most protected account.
• SMS codes: better than nothing, but vulnerable to SIM swapping. Avoid for high-value accounts if a stronger option exists.

At minimum: enable app-based MFA for your email account, your bank, and any account tied to government identity. Those three cover the highest-consequence compromise scenarios.

---

Step 4: Audit Your Third-Party App Connections

OAuth tokens for third-party apps connected to your Google or Microsoft account persist indefinitely unless you revoke them. A breach at any one of those third-party services means the attacker inherits that token's access to your account.

Spend 10 minutes here:

• Google: myaccount.google.com/permissions
• Apple: appleid.apple.com, then Sign in with Apple
• Microsoft: account.microsoft.com/privacy/app-access

Revoke anything you don't recognize or haven't used in the last year. You can always reconnect an app you actually need.

---

Step 5: Close the Accounts You Don't Use

Unused accounts are breach exposure you get nothing from. An account you haven't logged into in three years still holds your email address, possibly a password you reuse elsewhere, and whatever data you gave it at signup. When that service gets breached, you won't even get the notification letter because you've stopped checking that email. Every dormant account is a liability with no upside.

JustDeleteMe rates the difficulty of deleting accounts across hundreds of services and links directly to each deletion page. Start there.

This step is tedious. Do it anyway.

---

The 90-Minute Runbook

If you're starting from scratch, this is the order that gets you the most coverage for the time spent:

1. Install Bitwarden (15 min) — create an account, set a passphrase as your master password, install the browser extension
2. Move your top 10 accounts (30 min) — email, banking, social, healthcare, anything that stores payment info or personal data. Generate new unique passwords for each.
3. Enable TOTP-based MFA (15 min) — email and banking accounts first. Use Bitwarden's built-in authenticator or a separate app.
4. Run the third-party app audit (15 min) — Google and Apple accounts cover most people's exposure
5. Queue up JustDeleteMe (15 min) — identify five accounts to close this week

The rest of your accounts migrate naturally as you log in over the next few weeks.

If you end up on the receiving end of a breach notification before you finish, the practitioner's runbook covers exactly what to do next.