Imagine you're locked out of your Gmail account. Or posts appear on your Instagram, but you didn't make them. You get a bill from Amazon, but you didn't buy anything. A sinking sense of dread sets in: you're sure your account has been hacked.

It may not be so obvious at first that your account has been broken into.

Tip: Look for things online like:

• You get an email or notification that the email address linked to your account has been changed.
• You see purchases, messages, posts, or friend requests made through your account that you don’t remember making.
• Emails, posts, or likes are appearing or disappearing without your permission.
• Your account has been logged in to from a ‘new location’ where you haven’t been, or from a device you don’t recognize.
• Your password isn’t working even though you haven’t changed it.

Fear not! Protecting your account from being compromised or taken over is easier than you might think. Thieves, trolls, extortionists, jealous exes, and other people who want to access your social media, shopping, or other personal accounts mostly come in through the same “front door” you use: your sign in or log in.

Let’s go over some simple ways you can defend and lock your "front door" — or, even better, defend all of the ways of getting into your accounts.

Strengthen your digital “locks”: Passwords, multi-factor authentication, security questions, and “Sign in using...”

1. Choose strong, unique passwords

Because your usual account login is the most common way for bad actors to access your account, it's important to choose strong, unique passwords.

What do we mean by strong? Basically: long, not containing dictionary words, but containing letters, numbers, and other characters.

We say unique passwords are important because password re-use is the number one problem leading to account break-ins. Any password you re-use, or which can be found in a dictionary or list of names, cities, sports teams, etc., is likely to end up on a list that criminals are using to break into sign-in “doors.”

Want to learn more about how to create strong passwords? Check out this article.

2. Use a password manager to secure your accounts

Ideally, your passwords should be so complicated and unique that even you can't memorize them yourself. Instead, to keep track of them, you should use an encrypted password manager like 1Password, Bitwarden, or KeepassXC to store your passwords.

Want to learn more about how to use a password manager? Check out this article.

3. Turn on two-factor (2FA) or multi-factor (MFA) authentication

Many sites now let you use more than just a password to prove 'you' are you. A site may send you a text message, call you, or ask you to use an external app to verify it's you logging in. This is known as 2FA or MFA.

Setting up 2FA or MFA means that even if someone finds out your password, they probably won’t have the second factor they need to get in.

Learn more about multi-factor authentication at Authy or Two Factor Auth. Check out the security settings of your most-used sites and apps to see if you can set up 2FA/MFA. Start with the most important ones — any finance apps, or services like email, which you use to recover other accounts.

Tip: When setting up 2FA or MFA, you’ll need to select a second way of confirming it’s you. Try to avoid using SMS (text messages sent to your phone number) as your second factor, just in case you lose your phone.

4. Look up your account recovery questions and keep the answers secret

When you can, use account security questions that would be impossible for someone else to guess or find out the answers to. The answer to “What was the name of your first school?” might be found just by looking at your social media, if you've joined a group for your school.

In fact, a number of posts have circulated on social media that are designed to trap people into sharing their security answers — like posts asking you to list which cities you've lived in, names of your pets, cars you've owned, sports teams you're a fan of, etc. They may seem innocent, but it's better not to answer these questions.

A few more tips:

• As with passwords, try not to reuse the same security questions for multiple accounts.
• Some sites let you make up your own security question, which can let you come up with really obscure answers you'd never share elsewhere, like your secret fear, the name of your favorite childhood toy, or a joke you had with your best friend from high school. You might also consider using fake or made-up answers to your security questions, to be sure that no one could ever guess them.
• Some security recovery questions are much easier to answer when you still have access to your account, like, “When did you first open your account?” Writing this information down when you set up the account is a good way to make sure you have that answer when you need it.
• You can usually change these answers for an app, social media service, or other site. They will be in a section called something like “Settings,” which is usually labeled “Privacy” or “Account Security.” For example, to change the account security questions for Gmail:

• Sign in to myaccount.google.com →
• Menu →
• Security →
• Ways we can verify it’s you →
• You will find options here to add a recovery phone number, email address, and security question. You can decide whether you’d like to complete one or all.

5. Try to avoid ‘Sign in via Facebook’ or ‘Sign in via Google’

By now, a lot of us quickly open other apps and services using a button that lets us sign in using Facebook, Google, LinkedIn, or another service. It's just easier and more convenient.

But connecting your Google or Facebook accounts is like adding more doors or windows to your house: basically, there are now more ways to enter, which you need to keep locked.

Keep an eye on which accounts you have linked this way — there should be a section for them in the 'security' or 'privacy' settings of the Google, LinkedIn, Facebook, or other account you’re using to log in. It's a good idea to periodically clean out linked accounts that you no longer use, sites which have been breached, or other questionable connections.

For example, on Facebook go to:

• menu →
• Settings →
• Apps and Websites →
• Logged in with Facebook →
• Under Active, you can select any accounts you no longer want linked to your Facebook and click Remove.

6. Shrug off shoulder surfers

When you use your debit card at an ATM, you probably try to hide your PIN number. Just as you shield your PIN number from shoulder surfers (people who can peek over your shoulder), you should also do the same when you enter your PIN numbers or passwords on your phone.

This is also true of signing in to any account, or even unlocking your phone screen. For more tips on securing your screen lock, check out this article.